Showing results for 
Search instead for 
Did you mean: 

Help Integrating Firepower in Splunk Enterprise Security with eStreamer

Skjalg Eggen
Level 1
Level 1


I'm trying to PoC Splunk Enterprise Security as SIEM and integrate Firepower logs from Firepower Management server.

This proves not a trivial task.

I have the eStreamer installed on our heavy forwarder and Splunk add-on for Cisco FireSIGHT on the search head

eStreamer setup is easily set up on our heavy forwarder. The problem lies with mapping fields and values over to the CIM model to use in Enterprise security.

the Splunk eStreamer app is obsolete in its config, supporting up to 5.4. we are on 6.0.1 now and moving to 6.2 soon.

there are more fields in the logs from 6.0+ which is not supported in current eStreamer app. File_actions for example.

I would appreciate a nudge in the right direction as how to work out the kinks.

Is there someone here using Enterprise security and has resolved these issues?

Right now I have alot of unknown malware events, since all file eventes come up as unknown. The same in connection events where unknown is the order of the day.

This basically makes Splunk Enterprise Security unusable as a SIEM if you are running firepower.

I think it could be an easy fix, but I do not have the hours availible in the PoC to investigate and develop a new eStreamer configuration.

3 Replies 3

Level 1
Level 1

I even have a Splunk ES Pro Svcs consultant engaged and he's throwing fits about the "unknown" values in eStreamer events.

got most of the kinks worked our, but still some unknown events here and there.


I'm going to implement the new Ncore eStreamer TA that is compatible with 6.0+ FMC and see if we cant get this thing working 100%

Level 1
Level 1



Splunk has recently released an update to the app and add-on which may solve your issues:


Cisco eStreamer eNcore Add-on for Splunk:


Cisco Firepower eNcore App for Splunk:

Review Cisco Networking for a $25 gift card