icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco Secure eStreamer Client Add-On for Splunk
SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_529.tgz) cf2f424e1d936ff6d8fb3e2ef25ea7185dac87ec65cbc879545c89be1b571899 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_527.tgz) 112208441e7a5828678499ffd1d2f9c270a074e1fb509eba2946be44b5e8b0eb SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_526.tgz) 1d26d5cf901461587bd5a23e9eaaa0ba763e37d195660a2adadf26c9db0dba7a SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_519.tgz) 33a216fc1842c50ced9999a3f29cdf5c993e1e6015ac0483c8f1fe6a7ec1a020 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_518.tgz) 2b06a211ef9de28c633bcd29067dd152d63ef842473609e14b9f17b1a6581f93 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_517.tgz) 028d888bc0bb2fe5e50c40836f3a766ae4d2b6362039ed0239af8333362b312a SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_513.tgz) 7522e2f2ff39e1763f5908d80a550a3a2db5df17a2a5e1887d3e2044def019fe SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_510.tgz) a9373bbdf1562d7a3e9d9be5c951529540e18a7dcdaede986120401fc23b4317 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_504.tgz) adc24cb117562fbb03a681f0eb741c21757ed005cae7e5100faf99f4e2209fd1 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_503.tgz) a72873ef6925b4666199d104c58aae74992985feb9154668ce45207d82fca534 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_502.tgz) d7107bc7ab6721fec1d2038ec591ee4e8d09766d7d17ee95e863ee73a8c74e15 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_501.tgz) 209a978b2e9031927a5e3e69ccae1fe33960ecc3c5e3ce708878d087d0e1b1a7 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_483.tgz) 1954ad7316c4003702cc6cfc70103620684aab44e4f484098764d2a8a42cedbb SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_482.tgz) 51281477b6c0cc7b2b1cb3a5c58a1ff0253a345e4dc4c7273d7d791aa94aaa8b SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_481.tgz) 9b001325da421fbe70bb9b01f09027450b6e4d28407c68209f0f0205e0b6de6c SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_471.tgz) 61eaf2d207121e61e7e8f69d93057224a6b0a476c9af3d289c653be35773319b SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_388.tgz) 30aae6d6fb0cc18b79d700d86699292f36601d90f932e72c56521c032cd28235 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_464.tgz) 4edcff0789afec48a9524bdd7b47fdde2ea0881a529f82c54ce01fbfd7eb90a0 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_463.tgz) ce51c93a41e162ab867829d814e1dcb255c2ee18be30f0826dfa2380238f3a30 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_461.tgz) 9f38d6d5551297108d412ad5f8ac59f5d0fc8fffe93e5ea4eeacd913a1655754 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_387.tgz) bf7552bcc6160a200b46c5e05077ae0c288795d68b7e6af0e58b8d06835f9d10 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_460.tgz) 1378484197da97423742e3d9cbe4ca37bf8263846a8a607250d6c925a709e75b SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_380.tgz) 65f53cb33fa1be13d128889d5b8a2fdedd4af6ffe29626fe9e70e1dce796395f SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_375.tgz) 278f3fc3f474e91762821b567a29ff8578d4c3e526eb1be37857e4ade92ae34f SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_374.tgz) b178491dca6f18f90a0fd11ef721d3306474aa81a7c7b3291e7f585675ec3ae3 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_409.tgz) 5d3c4e352b4537573c52afcacb27a6064552a3dd2e63d5586732e8071d17105e SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_408.tgz) e8d0a8a7801b1ad4c0aa1c5c282c599b2a1979eadaf6d5cf147598d55bdde80a SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_371.tgz) 475e4d20f7025816f77e170bcf79860589b6eacb6a2efa4f2e87d01203984423 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_368.tgz) a7823ba31472be9057976facebf7b8d192f1fc896d8db8cdd7f2e820b92021a4 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_358.tgz) 96c75ed9ff3cd09d8876cebd7fb36df4ec1706c992bb60773126f2aff0f8754d SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_357.tgz) 4c5bf81107f8cafbe58ee6ebf7560a5ca73c682152a92314c4e0fc2c75792d58 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_356.tgz) 540da07edb3b5c822f5029b85434af8fd15b0cbc169cfa0e996ef255f49695e0 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_354.tgz) 7c8e2b2ac9f8d178a17349314f65f0f13c42cb9f71b4642effdd8265dd665070 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_353.tgz) a3b31edb8fd07d981cb67a0580dd2de6045e3cbf6ab0b3800aa664b1046e9d53 SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_351.tgz) 57cc90c9fc8413826f2d908bd211fc9370e4798c2cddaa83e9c44a712cd910fb SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_350.tgz) 228450dfd235b056b8f3063271c7e24fd3ec0e00474b9ef6800acd3fb40930ad SHA256 checksum (cisco-secure-estreamer-client-add-on-for-splunk_300.tgz) 477eb0060b826e0891d51f1dd9daa152df604f767469fdd4662f9f4d0547bd00
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Cisco Secure eStreamer Client Add-On for Splunk

Cisco Secure eStreamer Client (f.k.a. eNcore) Technical Add-on for Splunk is an eStreamer client with a Splunk plugin that provides comprehensive event forwarding from all 6.x versions of Threat Defense Manager (f.k.a. Firepower Management Center) to Splunk Enterprise and Splunk Enterprise Security.

The following event types are supported with complete schema coverage through the eStreamer API specification for Threat Defense Manager version 6.2+.

• Discovery Events
• Correlation and White List Events
• Impact Flag Alerts
• Intrusion Events
• Intrusion Event Packet Data
• User Activity
• Intrusion Event Extra Data
• Malware Events
• File Events
• Connection Events

This app was developed for and tested on Linux platforms only. Windows support is not currently available. Please check with Cisco for any change in status.

*Updates July 15th, 2024
The current eStreamer app is going EOL, limited support will be provided for the current implementation, please use the latest app, the Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404

The Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404 -- provides eStreamer SDK integration which will provide fully quailfied event support for IDS, Malware, Connection and IDS Packet data.

Secure eStreamer Client (f.k.a. eNcore) for Splunk is a plugin based eStreamer client built from scratch in Python designed to deliver fully qualified event data to Splunk from Secure Firewall (f.k.a. Firepower) 6.x platforms. If you have experienced problems getting the Cisco eStreamer for Splunk app version 2.2.1 and 2.2.2 working with Secure Firewall 6.x you should move to this new application so that you can leverage the many improvements listed below.

Secyre eStreamer Client for Splunk is a Technical Add-on (TA) designed purely to collect data and be installed on a forwarder.

New in this solution:

Resolved Issues in V 3.5.0

  1. An issue where Security Intelligence Category was not populating properly in Connection events. It is now populating correctly.
  2. An issue where the egress interface was populating with the id instead of the interface name in Intrusion events. It is now populating with the name.
  3. An issue where the fw_policy field name was appearing in Splunk file event output even though the firewall policy name is not part of the file event. The field name has been removed.
  4. An issue where the log reported a process poll timeout error even though the process is healthy and operating normally. The issue has been corrected.
  5. An issue where the name of the source user field was not populating correctly in connection events, intrusion events, file events, and malware events. The field is now populating correctly.
  6. An issue where the sid field in intrusion events was populating with an "internal sid" instead of the "rendered sid". If a user imports a custom rule file with rules that specify the sid, that sid is the "rendered sid" that appears in the FMC interface. The sid field in intrusion events is now populated by the rendered sid.
  7. An issue where the DNS Query field in connection event was not populating correctly. It is now populating correctly.
  8. An issue where in malware events, the virus name/detection name field was not populating correctly. It is now populating correctly.
  9. An issue where eNcore reported the following error: "UnicodeEncodeError: 'ascii' codec can't encode characters … ". The issue has been resolved.
  10. An issue where the packet payload output included layer 2-4 headers for TCP and UDP packets. The issue has been corrected and only the payload (without the layer 2-4 headers) appears in the payload field.
  11. An issue where in correlation events, the cs1 field (for access control policy name) was populating with the uuid instead of the name. The issue has been corrected.

Release Notes

Version 5.2.9
Oct. 10, 2023

*Updates July 15th, 2024
The current Cisco Secure Firewall app is going EOL, limited support will be provided for the current implementation, please use the latest app, the Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404

The Cisco Security Cloud -- https://splunkbase.splunk.com/app/7404 -- provides eStreamer SDK integration which will provide fully quailfied event support for IDS, Malware, Connection and IDS Packet data.


*Fixed JSON output in several fields including: Connection Events: User Data, Iface/Egress Interface, converted byte string outputs to regular strings in the ssl context, id fields

Version 5.2.7
Aug. 23, 2023

Fixed "BlockedReasonId" key error present in FMC < 7.0 builds which was causing the program to stop parsing during IDS enrichment.

Version 5.2.6
May 30, 2023

*Various bug fixes including:
- Fixed an issue with Metadata events, record type 112, contained logic to handle blocked reason ids that were not defined as part of the record type
- Removed offset warnings issue in malware events for ingress/egress vrf fields
- Corrected Syntax error in default cache values

Version 5.1.9
Jan. 9, 2023

Added CIM compliant event types and tags to default conf file definitions, CIM modeled event types include authentication, ids, malware, network resolution, network traffic and ssl events. For more details please view the eventtypes.conf file [https://github.com/CiscoSecurity/fp-05-firepower-cli/blob/master/assets/splunk-collector/default/eventtypes.conf]

Supports FMC 7.x

Version 5.1.8
Dec. 16, 2022

Removed byte hex encoding for file hash fields, malware event fields (records 125,502 and 511) no longer contain the b'<file_hash>' wrapper encoding.

Added additional configuration options for packet records, you can now select whether or not to include the original packet in the record which contains the payload and the packet header, this configured using the following variable in the estreamer.conf

includeOriginalPacket: true in (https://github.com/CiscoSecurity/fp-05-firepower-cli/blob/master/default.conf#L56) estreamer.conf

Version 5.1.7
Dec. 14, 2022

Enabled configuration of output types for packet data (record type = 2), the following types are now supported in the estreamer.conf

Hex (default)

configuration settings are case sensitive ('hex', 'ascii', 'utf-8')

To configure the packet data output type modify the 'packetEncoding' variable in the estreamer.conf, under subscriptions
estreamer.conf --> packet settings

Version 5.1.3
June 27, 2022

Fixed issue with 110 events

Version 5.1.0
April 12, 2022

Fixed an issue with malware and file events, record types 500 and 502. This effects 6.x and 7.x FMC versions. The issue was a bug within the Splunk adapter that did not convert the fileAnalysisStatus field properly. This would cause version 5.x to hang on parsing

Additionally, 7.0x requests for the newer event format for malware events were not implemented, still requesting the old format, now version 7 for malware events will retrieve block type 79 in the estreamer guide, which includes ingress and egress network routing information.

eStreamer 7.1 guide

Version 5.0.4
Feb. 24, 2022

*Fixed original src ip naming conflict in legacy record 110 events (only effects versions below 7.0)

Version 5.0.3
Feb. 19, 2022

*Fixed parsing issue with legacy user event record types, type 62

Version 5.0.2
Feb. 16, 2022

*Fixed bug with user record type 98, corrected parsing issues and removed additional binary characters present at the end of usernames

Version 5.0.1
Feb. 7, 2022

Updated support for new Intrusion and Connection Event structures in FMC 7.0/7.1
This release handles the removal of XFF (record type 110) events and provides original client proxy Ip information directly within IPS events
*Additional Fields added include:

Intrusion Events:

Original Source IP (Proxy IP's0
Blocked Reason ID

Connection Events:


x5.0.1 - Reverted constants file to prior for python3 messaging during certificate install

Version 4.8.3
Nov. 19, 2021

Added support for Splunk status in .splencore.sh script
Fixed App Inspect failure due to no default settings in app.conf for estreamer.conf reload triggers

Version 4.8.2
Nov. 10, 2021

*Added additional error handling for local cache storage

Version 4.8.1
Aug. 30, 2021

*Fixed bug associated with "JSON settings error" in estreamer.log which would periodically stop the encore process since the configuration file could not be read into memory.

*Specifically modified the 'stop' command to safely terminate existing estreamer python connections to the FMC

More Detail: This latest update, v4.8.1 in Splunkbase, should provide more robust handling of the FMC connection, and eliminate the "JSON settings error" from the encore logs. Additionally, we have created CSCvz51007 to address the potential FMC condition of reaching too many client connections. I would highly encourage an update to 4.8.1 if you are seeing any timeout issues, as always please reach out to our mailer here if you are experiencing problems or create a Cisco Support TAC case so we can promptly investigate.

Version 4.7.1
Aug. 16, 2021

*Modified the ./splencore.sh stop command to wait for TCP termination vs pkill, this is likely the issue behind "JSON settings" error and additional idle timeouts as the FMC server was receiving multiple session requests before older sessions were properly terminated

Version 3.8.8
Aug. 6, 2021

*Fixed incorrect value in the disposition field for malware events

Version 4.6.4
Aug. 5, 2021

*Fixed incorrect disposition field value in malware events

Version 4.6.3
July 22, 2021

Fixed errors in the stop command which not consistently terminate encore processes and remove pid files
Modified handling of XFF events

Version 4.6.1
June 30, 2021

*Modified clean script which is believed to cause issues with the bug "Invalid JSON settings"

Version 3.8.7
May 20, 2021

*Updated stop script for multi-thread mode

Version 4.6.0
May 13, 2021

Added additional transforms to the props.conf to support dashboard 1.60 updates
Modified the stop utility to remove temporary pid file and terminate all estreamer client processes, whereas in versions this only worked in single thread mode

Version 3.8.0
April 6, 2021

Added support for VPN connection events, record types 170/171, user login/logoff attempts
Added additional fields to support XFF HTTP URI events

Version 3.7.5
Feb. 24, 2021

Fixed encoding bug "UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 20: ordinal not in range(128)"
Updated multiple rec types with src_host_ip field, this requires FMC host discovery policy to be set

Version 3.7.4
Feb. 1, 2021

Added "src_host" field to multiple record types, this field provides traceability do the original host ip.

Version 4.0.9
Oct. 16, 2020

*4.0.9 Update

Removed ORIGINAL SOURCE IP error, this potentially would cause applications errors due to the reference of a non-existent data type. Please reference the full setup guide for Splunk 8.0/Cloud changes


Version 4.0.8
Oct. 8, 2020

Splunk 8.0 release, please see full guide for install/setup details


4.0.8 includes
reordered event format to include time in the beginning of the record, reset default MAX_LOOKAHEAD accordingly for increased performance

Version 3.7.1
Oct. 8, 2020

Encore version 3.x support only legacy Splunk 7.x with python2
Modified event structure to include event_sec in the beginning of the record for increased performance
*Added additional ipv6 formatting for XFF events

Version 3.6.8
Nov. 6, 2019

Corrected performance issues associated with outputting various pcap data types, this feature will be revised and re-released in a future version
Modified definition of event_sec for connection events, in the FMC all connection events start at first packet time which is now the value used for indexing. The first_pkt_sec field is still preserved to support backward compatibility.

*Fixed bug with the initiatorIpAddress field in correlation events

Version 3.5.8
June 27, 2019

Project Summary

This is the rewrite for the SourceFire eStreamer client.

The Cisco Event Streamer (also known as eStreamer) allows you to stream System intrusion,
discovery, and connection data from Firepower Management Center or managed device (also
referred to as the eStreamer server) to external client applications.

eStreamer responds to client requests with terse, compact, binary encoded messages – this
keeps it fast

eNcore is a new all-purpose client which requests all possible events from eStreamer, parses
the binary content and outputs events in various formats to support other SIEMs

*Updates for 3.5.8

*Bug fix - microseconds on pcap data now use the proper field name 'upacket_sec', and seconds use 'packet_sec'

Version 3.5.7
May 22, 2019

Version 3.5.7 Updates

*Added back aliasing for action/blocked fields

Version 3.5.6
April 18, 2019

Version 3.5.6 Updates
Removed default disabling of the cisco:estreamer:data source type
Removed duplicate aliasing for action/blocked fields

Version 3.5.4
Nov. 19, 2018
  • Fixed encore settings which did now allow for control the writing of metadata
  • Added additional notes to readme to address performance improvements and the use of worker processes/batchSizes
Version 3.5.3
Sept. 6, 2018

eNcore v3.5.3 resolves issues with previous v3.5.x versions where eNcore would crash under certain conditions.
All eNcore v3.5.x versions provide significant performance enhancements over pre-v3.5 versions.

Version 3.5.1
Aug. 14, 2018
Version 3.5.0
July 6, 2018

eNcore version 3.5.0 features performance improvements – the ability to process a significantly higher event rate. This improvement requires no additional configuration on the part of the user.

However, if the eNcore platform has four or more cores, then additional performance improvement can be gained by adjusting a parameter in the configuration file, estreamer.conf. This parameter is called “workerProcesses” and is highlighted below:

"connectTimeout": 10,
"enabled": true,
"workerProcesses": 4,
"handler": {
--- rest of config file omitted ---

The highlighted line shows the “workerProcesses” to be set at 4. It can be set anywhere from 4-12, but with four or more cores, testing showed the best performance when set to 12.

See Details section for more Release Notes on Version 3.5.0

Version 3.0.0
Aug. 1, 2017

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.