Cisco eStreamer Firepower FMC eStreamer issues…

There are 3 types of streamer issues in the Cisco Firepower FMC and in different releases.

The first is the enforcement of TLS, which was introduced in 6.1. That broke the most integrations.
The second issue is eStreamer documentation requires a two-way SSL authentication. At some point, the client part of authentication started failing because of a bug.
The third issue is connected to how NetAMP works on FirePower. The short of this problem is the integration is not fully baked.
You can access the eStreamer information from System>Integration>eStreamer:
Supposedly, there is a fix coming out this week or next, but Cisco has planned to depreciate eStreamer in interactions over the next 24 months in favor of a syslog protocol.

6 Comments

    1. I haven’t had time to work on this lately, and I know that eStreamer will go away, but I don’t know when

  1. Hi Todd, what´s the source of this information below?
    “but Cisco has planned to depreciate eStreamer in interactions over the next 24 months in favor of a syslog protocol.”
    Knowing that via syslog we’re not receiving (yet) a lot of important informations (such the event has been dropped or not) via syslog it is frustrating to know that we will develop under a solution that will be depreciated soon.
    Another perspective is the breadth of each one. eStreamer will populate more dashboard as bellow :
    1- Intrusion Detection, 2- Network Traffic. 3- Malware
    while syslog give you only Malware.

    1. Robert, let me get an update on this post…it is still true, but I haven’t followed up lately and need to…standby

      1. Okay, here is what a very knowledgable Cisco Firepower within cisco person said:

        In the words of Mark Twain. News of eStreamer’s death was an exaggeration. That is, it’s still there and will likely be for years. Yes, new logging options are coming and are here with enhanced syslog in 6.3 and 6.4. But eStreamer remains an option.

        1. Thank´s Todd, I appreciate for sharing with us this updated information. It looks like we’ll have a transition time until syslog´s features will be good enough to supplant eStreamer.

  2. Stirring the pot…
    I am not an FMC guy, I am a splunk guy. Can anyone add any insight that might help splunk admins like me that rely on the eStreamer eNcore integration using the splunk add-on? My FMC guy just upgraded, and it broke our ingest/integration. It might be time to stop using eStreamer, and go with a simple syslog integration, especially if the syslog logs contain more detail. Thanks in advance!

    1. There is really not a lot of configuration on the FMC side, but the admin probably need to run another cert and give that to you. Not sure why an update would break that connection, but have him run the streamer client cert again
      But syslog would work too

      1. It certainly appears not much to the FMC side. From FMC > Integration > eStreamer > Create Client.
        Next simple task would be to recreate a new client, use a new password, and get me the client.pkcs12 cert for my splunk config. I am not sure what version the FMC upgrade took us too, all I know is that the splunk add-on only works for 6.x. There may be more to it. Thanks for the response, I appreciate it. If the detail of the logs coming from FMC are the same, whether its syslog, or eStreamer, I might opt for syslog. Stay safe, and Thanks

Leave a Reply

Your email address will not be published.