Solved: TA-eStreamer & FMC 6.4.0.4

ww9rivers · ‎11-07-2019

We currently have the "Cisco eStreamer eNcore Add-on for Splunk" (TA-eStreamer) version 3.5.4 installed.

The README.txt file says "At the time of release, eNcore works with Cisco Firepower Management Center
versions 6.2.3 (and earlier v6 versions)".

I looked in the latest version of the TA (3.6.8) on Splunkbase, the README.txt file has not changed.

So the question is: Does the TA support FMC 6.4.0.4?

Thank you!

nspasov · ‎11-13-2019

Yes, I had it running in my lab with FTD/FMC v6.4. I have since upgraded my lab to 6.5 and it is also working as expected.

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎11-13-2019

Yes, I had it running in my lab with FTD/FMC v6.4. I have since upgraded my lab to 6.5 and it is also working as expected.

Thank you for rating helpful posts!

JonPBerbee · ‎12-10-2019

Do events come in near realtime for you? I'm running into an issue where events are very delayed getting to Splunk.

I've setup a correlation rule on the FMC to email me when there is an IPS event. In Splunk I run a report every 30 minutes to search for IPS events past 4 hours from the estreamer host and email me the results. Based on the time I get the email from the FMC and when the events finally show up in the report it takes anywhere from 1.5 to 2 hours before triggered IPS events show up in Splunk.

I've been working with TAC on this for a couple months and haven't found the issue. I've uninstalled Splunk and the TA-eStreamer App at least twice with the similar results.

My version of Splunk, FMC, and eNcore app are as follows:

Splunk - 7.2.7 (tried it on 7.3.0 as well)

FMC - 6.4.0.4

Cisco eStreamer eNcore for Splunk - 3.6.8