topic Re: Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay in All Apps and Add-ons

Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

vinz2020 — Wed, 30 Sep 2020 04:32:14 GMT

Dear community

I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)

the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again

I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.

thank you so much

Message output for index=estreamer sourcetype="cisco:estreamer:log" :

Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Goodbye
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Stopping...
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.

Re: Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

ivanreis — Wed, 11 Mar 2020 03:07:45 GMT

try to search for some errors on splunkd.log for "eStreamer"
Check this procedure for the add-on configuration.
http://www.thesecurityblogger.com/configuring-cisco-firepower-estreamer-with-splunk-7/

Re: Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

vinz2020 — Wed, 11 Mar 2020 07:40:21 GMT

Yes I have this configuration, thank you

the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again

Re: Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

ivanreis — Wed, 30 Sep 2020 04:33:36 GMT

can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./splencore.sh test at TA-eStreamer/bin...if you are getting this message:

./splencore.sh test
Traceback (most recent call last):
File "./estreamer/preflight.py", line 33, in
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/init.py", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 22, in
import ssl
File "/opt/splunk/lib/python2.7/ssl.py", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory

then, do this to fix it:
Install Python 2.7

Edit the python script “splencore.sh” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk

!/bin/sh

debug

set -x

Uncomment #SPLUNK_HOME=/opt/splunk
SPLUNK_HOME=/opt/splunk

vars

pid='-1'
configFilepath="estreamer.conf"
pybin="python"
basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/"
isRunning=0

save it, restart splunk service.

The python error was fixed, and after a couple of minutes the data is being receiving properly.

Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"

These were the steps I took to fix the issue on customer. I hope this can help you.