All Apps and Add-ons

Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

vinz2020
Engager

Dear community

I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)

the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again

I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.

thank you so much

Message output for index=estreamer sourcetype="cisco:estreamer:log" :

Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Goodbye
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Stopping...
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.

0 Karma

ivanreis
Builder

try to search for some errors on splunkd.log for "eStreamer"
Check this procedure for the add-on configuration.
http://www.thesecurityblogger.com/configuring-cisco-firepower-estreamer-with-splunk-7/

0 Karma

vinz2020
Engager

Yes I have this configuration, thank you

the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again

0 Karma

ivanreis
Builder

can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./splencore.sh test at TA-eStreamer/bin...if you are getting this message:

./splencore.sh test
Traceback (most recent call last):
File "./estreamer/preflight.py", line 33, in
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/init.py", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 22, in
import ssl
File "/opt/splunk/lib/python2.7/ssl.py", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory

then, do this to fix it:
Install Python 2.7

Edit the python script “splencore.sh” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk

!/bin/sh

debug

set -x

Uncomment #SPLUNK_HOME=/opt/splunk
SPLUNK_HOME=/opt/splunk

vars

pid='-1'
configFilepath="estreamer.conf"
pybin="python"
basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/"
isRunning=0

save it, restart splunk service.

The python error was fixed, and after a couple of minutes the data is being receiving properly.

Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"

These were the steps I took to fix the issue on customer. I hope this can help you.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...