cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1799
Views
5
Helpful
2
Replies
ww9rivers
Beginner

TA-eStreamer & FMC 6.4.0.4

We currently have the "Cisco eStreamer eNcore Add-on for Splunk" (TA-eStreamer) version 3.5.4 installed.

The README.txt file says "At the time of release, eNcore works with Cisco Firepower Management Center
versions 6.2.3 (and earlier v6 versions)".

I looked in the latest version of the TA (3.6.8) on Splunkbase, the README.txt file has not changed.

So the question is: Does the TA support FMC 6.4.0.4?

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
nspasov
Cisco Employee

Yes, I had it running in my lab with FTD/FMC v6.4. I have since upgraded my lab to 6.5 and it is also working as expected.

Thank you for rating helpful posts!

View solution in original post

2 REPLIES 2
nspasov
Cisco Employee

Yes, I had it running in my lab with FTD/FMC v6.4. I have since upgraded my lab to 6.5 and it is also working as expected.

Thank you for rating helpful posts!

Do events come in near realtime for you? I'm running into an issue where events are very delayed getting to Splunk.

 

I've setup a correlation rule on the FMC to email me when there is an IPS event. In Splunk I run a report every 30 minutes to search for IPS events past 4 hours from the estreamer host and email me the results. Based on the time I get the email from the FMC and when the events finally show up in the report it takes anywhere from 1.5 to 2 hours before triggered IPS events show up in Splunk.

 

I've been working with TAC on this for a couple months and haven't found the issue. I've uninstalled Splunk and the TA-eStreamer App at least twice with the similar results.

 

My version of Splunk, FMC, and eNcore app are as follows:

Splunk - 7.2.7 (tried it on 7.3.0 as well)

FMC - 6.4.0.4

Cisco eStreamer eNcore for Splunk - 3.6.8

Create
Recognize Your Peers
Content for Community-Ad