<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Cisco Security Cloud Estreamer Issues in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/761862#M120612</link>
    <description>&lt;P&gt;I came across this issue and didnt find a solution anywhere.&amp;nbsp; However, i did manage to fix it with help from AI.&lt;BR /&gt;&lt;BR /&gt;If the issue is the Cisco Security Cloud App, not taking the cert and password you just created from the FMC and just returning a generic non helpful error,&amp;nbsp; while Splunk is installed on a FIPS compliant system, then read on..&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;The problem lies in that the FMC encrypts the cert with a weak encryption that is NOT FIPS compliant.&amp;nbsp; Therefore the password protected cert from the FMC must be prepped before use.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;1.) locate a non FIPS enabled linux machine, or disable FIPS on your box.&amp;nbsp; Either way is fine, but this is mandatory.&lt;BR /&gt;2.) Decrypt the cert using the password you originally created the cert with.&amp;nbsp; Obviously change "originalcert.pkcs12"&amp;nbsp; to whatever the name of the cert that you downloaded from FMC.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl pkcs12 -in originalcert.pkcs12 -out unencrypted.pem&lt;/LI-CODE&gt;&lt;P&gt;3.)R&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;e-encrypt the cert with password with FIPS compliant encryption. I just used the same password to encrypt this.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl pkcs12 -certpbe PBE-SHA1-3DES -export -in unencrypted.pem -out FIPS_compliant.p12&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;4?) you have to rename the compliant cert .pkcs12 as thats what the cisco cloud security app is looking for.&amp;nbsp; Its possible you can just use the .pkcs12 extension instead of the .p12 i had in there.&amp;nbsp; But i didnt test that, and am just writing down what exactly i did.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Now your cert should be compliant and the app should accept it..&amp;nbsp;&amp;nbsp;&lt;BR /&gt;There maybe an easier/better way to fix this, but this is just how i did it.&amp;nbsp; Let me know if there is a better way.&lt;BR /&gt;&lt;BR /&gt;Hope this helps!&lt;/P&gt;</description>
    <pubDate>Tue, 23 Jun 2026 20:00:19 GMT</pubDate>
    <dc:creator>Darthsplunker</dc:creator>
    <dc:date>2026-06-23T20:00:19Z</dc:date>
    <item>
      <title>Cisco Security Cloud Estreamer Issues</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/758434#M120240</link>
      <description>&lt;P&gt;Good Afternoon,&lt;BR /&gt;&lt;BR /&gt;I have been at war with the estreamer app for 2 weeks and I can not get this to work. Below is the current specs:&lt;BR /&gt;&lt;BR /&gt;RHEL 9.5 With FIPS&lt;BR /&gt;Splunk 9.4.4 HF&lt;BR /&gt;FMC&amp;nbsp;&lt;SPAN class=""&gt;7.4.2&lt;/SPAN&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;SPAN class=""&gt;4&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class=""&gt;Cisco Security Cloud&amp;nbsp;&lt;SPAN&gt;3.6.1&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;So I had issues with fips and the cert, i was able to fix that. I then ran into network connectivity issues and that was resolved. I can openssl with the estreamer cert to the FMC on port 8302 and have no issues connecting to it with TLS. The issue occurs when I set up the estreamer inputs on the Cisco Security Cloud app. When I put in the password and all the information the input fails and below are the logs of the issue. I cant seem to find anything online on this issue with estreamer.&lt;BR /&gt;&lt;BR /&gt;Any help would be great, Thank you&lt;/SPAN&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;2026-02-17 12:50:38,776 INFO [collect_events] validate_connection():195 Get test chunk of events for input test
2026-02-17 12:50:38,777 INFO [estreamer_connection] get_events():145 Getting events
2026-02-17 12:50:38,777 INFO [collect_events] validate_connection():205 Clean up after eStreamer validation process: test
2026-02-17 12:50:38,778 INFO [collect_events] validate_connection():211 Delete certificate files
2026-02-17 12:50:38,778 ERROR [sbg_fw_estreamer_input] validate_input():180 instance=test, error_type=Connection, error_code=error, error_detail=Struct error occurred, probably invalid format of data, traceback=unpack requires a buffer of 2 bytes, filter_value=sbg_fw_estreamer_input.py,&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 17 Feb 2026 18:14:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/758434#M120240</guid>
      <dc:creator>Rafaelled</dc:creator>
      <dc:date>2026-02-17T18:14:51Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco Security Cloud Estreamer Issues</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/760460#M120462</link>
      <description>&lt;P&gt;I am hitting this same issue with FMC version 7.6.5 and Splunk 9.4.2&lt;/P&gt;</description>
      <pubDate>Fri, 24 Apr 2026 16:47:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/760460#M120462</guid>
      <dc:creator>ecentonze</dc:creator>
      <dc:date>2026-04-24T16:47:02Z</dc:date>
    </item>
    <item>
      <title>Re: Cisco Security Cloud Estreamer Issues</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/761862#M120612</link>
      <description>&lt;P&gt;I came across this issue and didnt find a solution anywhere.&amp;nbsp; However, i did manage to fix it with help from AI.&lt;BR /&gt;&lt;BR /&gt;If the issue is the Cisco Security Cloud App, not taking the cert and password you just created from the FMC and just returning a generic non helpful error,&amp;nbsp; while Splunk is installed on a FIPS compliant system, then read on..&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;The problem lies in that the FMC encrypts the cert with a weak encryption that is NOT FIPS compliant.&amp;nbsp; Therefore the password protected cert from the FMC must be prepped before use.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;1.) locate a non FIPS enabled linux machine, or disable FIPS on your box.&amp;nbsp; Either way is fine, but this is mandatory.&lt;BR /&gt;2.) Decrypt the cert using the password you originally created the cert with.&amp;nbsp; Obviously change "originalcert.pkcs12"&amp;nbsp; to whatever the name of the cert that you downloaded from FMC.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl pkcs12 -in originalcert.pkcs12 -out unencrypted.pem&lt;/LI-CODE&gt;&lt;P&gt;3.)R&lt;SPAN class=""&gt;&lt;SPAN class=""&gt;e-encrypt the cert with password with FIPS compliant encryption. I just used the same password to encrypt this.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;openssl pkcs12 -certpbe PBE-SHA1-3DES -export -in unencrypted.pem -out FIPS_compliant.p12&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;4?) you have to rename the compliant cert .pkcs12 as thats what the cisco cloud security app is looking for.&amp;nbsp; Its possible you can just use the .pkcs12 extension instead of the .p12 i had in there.&amp;nbsp; But i didnt test that, and am just writing down what exactly i did.&amp;nbsp;&lt;BR /&gt;&lt;BR /&gt;Now your cert should be compliant and the app should accept it..&amp;nbsp;&amp;nbsp;&lt;BR /&gt;There maybe an easier/better way to fix this, but this is just how i did it.&amp;nbsp; Let me know if there is a better way.&lt;BR /&gt;&lt;BR /&gt;Hope this helps!&lt;/P&gt;</description>
      <pubDate>Tue, 23 Jun 2026 20:00:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Cisco-Security-Cloud-Estreamer-Issues/m-p/761862#M120612</guid>
      <dc:creator>Darthsplunker</dc:creator>
      <dc:date>2026-06-23T20:00:19Z</dc:date>
    </item>
  </channel>
</rss>

