https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293586#M35069 <P>Hello,</P> <P>I recently installed the new <A href="https://splunkbase.splunk.com/app/3662/">Cisco eStreamer eNcore Add-on for Splunk</A> and I am having an issue. I installed the TA on the heavy forwarder per the <A href="https://supportforums.cisco.com/document/13345976/cisco-estreamer-encore-splunk-operations-guide-30">Cisco documentation</A>. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3397i44DEA00C8541BE08/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3398i868AF67C3FE333D8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.</P> <P>Thanks in advance!</P> Thu, 17 Aug 2017 19:01:43 GMT sdtruesdale 2017-08-17T19:01:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293586#M35069 <P>Hello,</P> <P>I recently installed the new <A href="https://splunkbase.splunk.com/app/3662/">Cisco eStreamer eNcore Add-on for Splunk</A> and I am having an issue. I installed the TA on the heavy forwarder per the <A href="https://supportforums.cisco.com/document/13345976/cisco-estreamer-encore-splunk-operations-guide-30">Cisco documentation</A>. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3397i44DEA00C8541BE08/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3398i868AF67C3FE333D8/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.</P> <P>Thanks in advance!</P> Thu, 17 Aug 2017 19:01:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293586#M35069 sdtruesdale 2017-08-17T19:01:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293587#M35070 <P>This error means that the TA has not been configured yet. Specifically, if the config file has an FMC host which is either empty or = "1.2.3.4" then that will result in this error.</P> <P>Have you run through the setup screen from <CODE>Manage Apps &gt; Cisco eStreamer eNcore for Splunk &gt; Setup</CODE>?</P> <P>If so - did you get any errors? If not, give that a go.</P> Wed, 23 Aug 2017 10:30:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293587#M35070 sastrach 2017-08-23T10:30:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293588#M35071 <P>There was no answer to this and I am having a similar problem. In the /opt/splunk/etc/apps/TA-eStreamer/bin/encore there are two conf files. The first is default.conf and the second is estreamer.conf. In the file estreamer.conf, I made sure that the server information under subcription which is at the bottom of the file. <BR /> I entered a valid IP for the line "host": "1.2.3.4" and a valid pkcsFilepath to where the client.pkcs12 certificate it is.<BR /> I still had problems with the estreamer being stopped. <BR /> The default one has the same information and I can't get the estreamer to start. So I input the same information into the default.conf and estreamer still isn't working.</P> <P>I hope someone has an answer to this problem.</P> Tue, 01 May 2018 07:13:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-eStreamer-eNcore-for-Splunk-Status-Continually-quot/m-p/293588#M35071 molinarf 2018-05-01T07:13:57Z