All Apps and Add-ons

Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay

vinz2020
Engager

Dear community

I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)

the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again

I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.

thank you so much

Message output for index=estreamer sourcetype="cisco:estreamer:log" :

Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Goodbye
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Stopping...
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.

0 Karma

ivanreis
Builder

try to search for some errors on splunkd.log for "eStreamer"
Check this procedure for the add-on configuration.
http://www.thesecurityblogger.com/configuring-cisco-firepower-estreamer-with-splunk-7/

0 Karma

vinz2020
Engager

Yes I have this configuration, thank you

the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again

0 Karma

ivanreis
Builder

can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./splencore.sh test at TA-eStreamer/bin...if you are getting this message:

./splencore.sh test
Traceback (most recent call last):
File "./estreamer/preflight.py", line 33, in
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/init.py", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 22, in
import ssl
File "/opt/splunk/lib/python2.7/ssl.py", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory

then, do this to fix it:
Install Python 2.7

Edit the python script “splencore.sh” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk

!/bin/sh

debug

set -x

Uncomment #SPLUNK_HOME=/opt/splunk
SPLUNK_HOME=/opt/splunk

vars

pid='-1'
configFilepath="estreamer.conf"
pybin="python"
basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore/"
isRunning=0

save it, restart splunk service.

The python error was fixed, and after a couple of minutes the data is being receiving properly.

Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"

These were the steps I took to fix the issue on customer. I hope this can help you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...