Hi All,
following this other question we were able to configure TA Add-On, but doesn't matter how many times we were ticking the "Is enabled" box and saving, the process didn't start (having a tail -f on the FMC's messages file) on an Ubuntu installation. Only chance we had for starting it was manually (which is not the best since the process seems not going down when splunkd daemon is being shutdown).
At first the Python script seems running, saving a few MBs locally, but then crashes and goes in Error state:
$ ./splencore.sh status
status_id=-1 status="Error"
this is error message on the client side:
2017-09-05 15:33:03,256 Service ERROR OSError: \nTraceback (most recent call last):\n File "./estreamer/service.py", line 179, in main\n self.start( reprocessPkcs12 = args.pkcs12 )\n File "./estreamer/service.py", line 148, in start\n self._posix()\n File "./estreamer/service.py", line 90, in _posix\n self._loop()\n File "./estreamer/service.py", line 67, in _loop\n if not condition.isTrue():\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/condition/splunk.py", line 33, in isTrue\n 'status' ] )\n File "/usr/lib/python2.7/subprocess.py", line 567, in check_output\n process = Popen(stdout=PIPE, *popenargs, **kwargs)\n File "/usr/lib/python2.7/subprocess.py", line 711, in __init__\n errread, errwrite)\n File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child\n raise child_exception\nOSError: [Errno 2] No such file or directory\n
On the FMC side instead the only error we read is this:
Sep 5 13:33:03 Server-FMC SF-IMS[14050]: [14050] EventStreamer child(IP-eStreamer-Client):sfestreamer [ERROR] Unable to receive message: General read error
Thank you for all your assistance.
Hi! Have you enabled the script inputs?
Navigate to Settings > Data Inputs > Scripts
and enable the three TA-eStreamer inputs (especially the second one):
(Also navigate to Settings > Data Inputs > Files & Directories
and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved)
Running splencore.sh from the command line will not work and is not supported. The script requires that certain environment variables are set up - which is done by Splunk; without the variables, the script will fail.
Thank you, this solved the starting issue indeed, but unfortunately the eStreamer client quits with an error due to the bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve44987 for I think we need to upgrade FMC to the fixed releases.
I'm glad we're slowly getting there. Please get in contact with TAC and send them that link - they should help you with patches.
Hi! Have you enabled the script inputs?
Navigate to Settings > Data Inputs > Scripts
and enable the three TA-eStreamer inputs (especially the second one):
(Also navigate to Settings > Data Inputs > Files & Directories
and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved)
Running splencore.sh from the command line will not work and is not supported. The script requires that certain environment variables are set up - which is done by Splunk; without the variables, the script will fail.