Secure eStreamer Client (f.k.a. eNcore) for Splunk is a plugin based eStreamer client built from scratch in Python designed to deliver fully qualified event data to Splunk from Secure Firewall (f.k.a. Firepower) 6.x platforms. If you have experienced problems getting the Cisco eStreamer for Splunk app version 2.2.1 and 2.2.2 working with Secure Firewall 6.x you should move to this new application so that you can leverage the many improvements listed below.
Secyre eStreamer Client for Splunk is a Technical Add-on (TA) designed purely to collect data and be installed on a forwarder.
New in this solution:
Resolved Issues in V 3.5.0
*Fixed encoding bug "UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 20: ordinal not in range(128)"
*Updated multiple rec types with src_host_ip field, this requires FMC host discovery policy to be set
*Fixed bug with ipv6 conversion for XFF events
*Added source host ip to additional record types: 19, 22, 25, 28, 35, 103
For full documentation please see
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_409.html
Added "src_host" field to multiple record types, this field provides traceability do the original host ip.
*4.0.9 Update
Removed ORIGINAL SOURCE IP error, this potentially would cause applications errors due to the reference of a non-existent data type. Please reference the full setup guide for Splunk 8.0/Cloud changes
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_409.html
Splunk 8.0 release, please see full guide for install/setup details
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_409.html
*4.0.8 includes
*reordered event format to include time in the beginning of the record, reset default MAX_LOOKAHEAD accordingly for increased performance
*Encore version 3.x support only legacy Splunk 7.x with python2
*Modified event structure to include event_sec in the beginning of the record for increased performance
*Added additional ipv6 formatting for XFF events
*Corrected performance issues associated with outputting various pcap data types, this feature will be revised and re-released in a future version
*Modified definition of event_sec for connection events, in the FMC all connection events start at first packet time which is now the value used for indexing. The first_pkt_sec field is still preserved to support backward compatibility.
*Fixed bug with the initiatorIpAddress field in correlation events
## Project Summary
This is the rewrite for the SourceFire eStreamer client.
The Cisco Event Streamer (also known as eStreamer) allows you to stream System intrusion,
discovery, and connection data from Firepower Management Center or managed device (also
referred to as the eStreamer server) to external client applications.
eStreamer responds to client requests with terse, compact, binary encoded messages – this
keeps it fast
eNcore is a new all-purpose client which requests all possible events from eStreamer, parses
the binary content and outputs events in various formats to support other SIEMs
*Updates for 3.5.8
*Bug fix - microseconds on pcap data now use the proper field name 'upacket_sec', and seconds use 'packet_sec'
Version 3.5.7 Updates
*Added back aliasing for action/blocked fields
Version 3.5.6 Updates
*Removed default disabling of the cisco:estreamer:data source type
*Removed duplicate aliasing for action/blocked fields
- Fixed encore settings which did now allow for control the writing of metadata
- Added additional notes to readme to address performance improvements and the use of worker processes/batchSizes
eNcore v3.5.3 resolves issues with previous v3.5.x versions where eNcore would crash under certain conditions.
All eNcore v3.5.x versions provide significant performance enhancements over pre-v3.5 versions.
eNcore version 3.5.0 features performance improvements – the ability to process a significantly higher event rate. This improvement requires no additional configuration on the part of the user.
However, if the eNcore platform has four or more cores, then additional performance improvement can be gained by adjusting a parameter in the configuration file, estreamer.conf. This parameter is called “workerProcesses” and is highlighted below:
{
"connectTimeout": 10,
"enabled": true,
"workerProcesses": 4,
"handler": {
--- rest of config file omitted ---
The highlighted line shows the “workerProcesses” to be set at 4. It can be set anywhere from 4-12, but with four or more cores, testing showed the best performance when set to 12.
See Details section for more Release Notes on Version 3.5.0
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.