icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk
SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_425.tgz) 7fed7419cf341661ac7f8b6946c962fcf482448cb4c5012769dfb179cc8ddf2b SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_422.tgz) 778927a3120770657fd8998f38eec4100698dfc4f36f2b8ffbb48fdd96272852 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_384.tgz) 3320dfc986f4b3189b394b492eae6093690748a7afa8b29410db51867bf26a7e SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_421.tgz) 6ed61c144ea49b2ab83adfea65c67cb33efd71bb5c7d1d2c6253209d0f5b2453 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_380.tgz) 4faf2f9a697f3b788eae6dd8d325d5d14b6b4030d457db9a7167f8e468912f24 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_375.tgz) 42ae280f8011357cf884b00dfa9b102b940cccd6c70e3a2ce48a9ed093858b79 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_4011.tgz) 5e0fa6aec5103d1484e8175515db1bdae51d05f7e3f7ddec79439fd4e9f41251 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_374.tgz) 1c22736a638272d49450e67595ccb47e672db02cabe26cde425e0b81d51b61a8 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_409.tgz) 012d6bca005178a426851f081ac82d7c6a21f80fd6c1980b45b7a51e6a32c780 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_408.tgz) cbfe6a53febc6467f0ac46cf587348706dcf5823ec4369010af87f47e9af6953 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_371.tgz) bc9ecbe7cb235bf19c505d3078953e81af3e441d054b5522540b14600ff9d78f SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_368.tgz) 70f9b1cfaa69d6edc99788ce74838bb4fb48d0f1048b1d3ea85121a396ea723a SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_358.tgz) edef0d6e584f49a9fe502d71a77ee22da56a329d2f9c282ebec77b50f4dc6065 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_357.tgz) 148e9b3946e96c49dccee6278f565b4fe715fd04e193919a3a621b95beb3b2d0 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_356.tgz) fa51b99af2a7d336ebcba5443b7069adaad5728365b26cb5dfc1e077b3f07a77 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_354.tgz) 21ba4634b6797ef2f9ccd06570d690561caa47aa089c3aa4af61e897fcefd875 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_353.tgz) de63c595272c657f7917fbe19f1c96ee6d8186d6d86e889432e96ffbb7d7970c SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_351.tgz) 0d3d0c6cd039fa1e4b357590a3b43c5a243cbe8ee66acc52588ffd9c4c20b883 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_350.tgz) cd802a00121bc83654e09d6ca117b211f0a04a89a1cd2287e4d2529e8c1cb264 SHA256 checksum (cisco-secure-estreamer-client-fka-firepower-encore-add-on-for-splunk_300.tgz) aa8ef22e5971904026c05a8634f896388ddd7696e7653027fb5dd2648acb6d73
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Cisco Secure eStreamer Client (f.k.a Firepower eNcore) Add-On for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Cisco Secure eStreamer Client (f.k.a. eNcore) Technical Add-on for Splunk is an eStreamer client with a Splunk plugin that provides comprehensive event forwarding from all 6.x versions of Threat Defense Manager (f.k.a. Firepower Management Center) to Splunk Enterprise and Splunk Enterprise Security.

The following event types are supported with complete schema coverage through the eStreamer API specification for Threat Defense Manager version 6.2+.

• Discovery Events
• Correlation and White List Events
• Impact Flag Alerts
• Intrusion Events
• Intrusion Event Packet Data
• User Activity
• Intrusion Event Extra Data
• Malware Events
• File Events
• Connection Events

This app was developed for and tested on Linux platforms only. Windows support is not currently available. Please check with Cisco for any change in status.

Secure eStreamer Client (f.k.a. eNcore) for Splunk is a plugin based eStreamer client built from scratch in Python designed to deliver fully qualified event data to Splunk from Secure Firewall (f.k.a. Firepower) 6.x platforms. If you have experienced problems getting the Cisco eStreamer for Splunk app version 2.2.1 and 2.2.2 working with Secure Firewall 6.x you should move to this new application so that you can leverage the many improvements listed below.

Secyre eStreamer Client for Splunk is a Technical Add-on (TA) designed purely to collect data and be installed on a forwarder.

New in this solution:

  • Complete API Coverage: Allows Splunk to collect all Secure Firewall event data via the eStreamer API from Threat Defense Manager version 6.x. Note: Will not work with Secure Firewall version 5.x
  • Plugin Architecture: Combines the Python ‘Client’ with a Splunk plugin to write data into Splunk in the Splunk format
  • Dashboard Support: Backwards compatible with older solution’s dashboards A new version of the dashboard is available here: https://splunkbase.splunk.com/app/3663/
  • Full Event Qualification: Client writes clear text for all of the eStreamer API’s referential model
  • Comprehensively Documented: Detailed Operations Guide is available here: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html
  • Multi-Process Design: Will scale with additional compute resources to support event rates
  • Cisco TAC Support Option Available: Optional TAC support service available with identical paid version purchased from Cisco. Order details: FP-SPLUNK-SW-K9 Free to use otherwise.

Resolved Issues in V 3.5.0

  1. An issue where Security Intelligence Category was not populating properly in Connection events. It is now populating correctly.
  2. An issue where the egress interface was populating with the id instead of the interface name in Intrusion events. It is now populating with the name.
  3. An issue where the fw_policy field name was appearing in Splunk file event output even though the firewall policy name is not part of the file event. The field name has been removed.
  4. An issue where the log reported a process poll timeout error even though the process is healthy and operating normally. The issue has been corrected.
  5. An issue where the name of the source user field was not populating correctly in connection events, intrusion events, file events, and malware events. The field is now populating correctly.
  6. An issue where the sid field in intrusion events was populating with an "internal sid" instead of the "rendered sid". If a user imports a custom rule file with rules that specify the sid, that sid is the "rendered sid" that appears in the FMC interface. The sid field in intrusion events is now populated by the rendered sid.
  7. An issue where the DNS Query field in connection event was not populating correctly. It is now populating correctly.
  8. An issue where in malware events, the virus name/detection name field was not populating correctly. It is now populating correctly.
  9. An issue where eNcore reported the following error: "UnicodeEncodeError: 'ascii' codec can't encode characters … ". The issue has been resolved.
  10. An issue where the packet payload output included layer 2-4 headers for TCP and UDP packets. The issue has been corrected and only the payload (without the layer 2-4 headers) appears in the payload field.
  11. An issue where in correlation events, the cs1 field (for access control policy name) was populating with the uuid instead of the name. The issue has been corrected.

Release Notes

Version 4.2.5
May 6, 2021

Fixed attempt to populate global variables in ./splencore.sh script
Enhanced descriptions on how to process pkcs files
Additional transforms for syslog normalization

Version 4.2.2
April 28, 2021

*Fixed non-compliant props.conf file (duplicate normalization's)

Version 3.8.4
April 28, 2021

*Support for VPN Login/Logoff evens
*Fixed bug associated with empty user records

Version 4.2.1
April 28, 2021

*Supports VPN Login/Logoff events, record types 170/171
*Bug fixes to include parsing for rec type 93, 94, 95 user events
*Enhanced startup script, splencore.sh, to provide easier pkcs12 key deployment

Version 3.8.0
April 6, 2021

*Added support for VPN connection events, record types 170/171, user login/logoff attempts
*Added additional fields to support XFF HTTP URI events

Version 3.7.5
Feb. 24, 2021

*Fixed encoding bug "UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 20: ordinal not in range(128)"
*Updated multiple rec types with src_host_ip field, this requires FMC host discovery policy to be set

Version 4.0.11
Feb. 13, 2021

*Fixed bug with ipv6 conversion for XFF events
*Added source host ip to additional record types: 19, 22, 25, 28, 35, 103

For full documentation please see

Version 3.7.4
Feb. 1, 2021

Added "src_host" field to multiple record types, this field provides traceability do the original host ip.

Version 4.0.9
Oct. 16, 2020

*4.0.9 Update

Removed ORIGINAL SOURCE IP error, this potentially would cause applications errors due to the reference of a non-existent data type. Please reference the full setup guide for Splunk 8.0/Cloud changes


Version 4.0.8
Oct. 8, 2020

Splunk 8.0 release, please see full guide for install/setup details


*4.0.8 includes
*reordered event format to include time in the beginning of the record, reset default MAX_LOOKAHEAD accordingly for increased performance

Version 3.7.1
Oct. 8, 2020

*Encore version 3.x support only legacy Splunk 7.x with python2
*Modified event structure to include event_sec in the beginning of the record for increased performance
*Added additional ipv6 formatting for XFF events

Version 3.6.8
Nov. 6, 2019

*Corrected performance issues associated with outputting various pcap data types, this feature will be revised and re-released in a future version
*Modified definition of event_sec for connection events, in the FMC all connection events start at first packet time which is now the value used for indexing. The first_pkt_sec field is still preserved to support backward compatibility.

*Fixed bug with the initiatorIpAddress field in correlation events

Version 3.5.8
June 27, 2019

## Project Summary

This is the rewrite for the SourceFire eStreamer client.

The Cisco Event Streamer (also known as eStreamer) allows you to stream System intrusion,
discovery, and connection data from Firepower Management Center or managed device (also
referred to as the eStreamer server) to external client applications.

eStreamer responds to client requests with terse, compact, binary encoded messages – this
keeps it fast

eNcore is a new all-purpose client which requests all possible events from eStreamer, parses
the binary content and outputs events in various formats to support other SIEMs

*Updates for 3.5.8

*Bug fix - microseconds on pcap data now use the proper field name 'upacket_sec', and seconds use 'packet_sec'

Version 3.5.7
May 22, 2019

Version 3.5.7 Updates

*Added back aliasing for action/blocked fields

Version 3.5.6
April 18, 2019

Version 3.5.6 Updates
*Removed default disabling of the cisco:estreamer:data source type
*Removed duplicate aliasing for action/blocked fields

Version 3.5.4
Nov. 19, 2018

- Fixed encore settings which did now allow for control the writing of metadata
- Added additional notes to readme to address performance improvements and the use of worker processes/batchSizes

Version 3.5.3
Sept. 6, 2018

eNcore v3.5.3 resolves issues with previous v3.5.x versions where eNcore would crash under certain conditions.
All eNcore v3.5.x versions provide significant performance enhancements over pre-v3.5 versions.

Version 3.5.1
Aug. 14, 2018

Version 3.5.0
July 6, 2018

eNcore version 3.5.0 features performance improvements – the ability to process a significantly higher event rate. This improvement requires no additional configuration on the part of the user.

However, if the eNcore platform has four or more cores, then additional performance improvement can be gained by adjusting a parameter in the configuration file, estreamer.conf. This parameter is called “workerProcesses” and is highlighted below:

"connectTimeout": 10,
"enabled": true,
"workerProcesses": 4,
"handler": {
--- rest of config file omitted ---

The highlighted line shows the “workerProcesses” to be set at 4. It can be set anywhere from 4-12, but with four or more cores, testing showed the best performance when set to 12.

See Details section for more Release Notes on Version 3.5.0

Version 3.0.0
Aug. 1, 2017


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.