I've been trying tirelessly to get this to work on Ubuntu 20. My process so far:
1. Install Splunk with the deb package. Seems to work just fine.
2. Login to Splunk and install the eStreamer eNcore. No issues here.
3. Enable all the data inputs file and scripts. No issues here.
4. Jump to the CLI and attempt to get into the /opt/splunk/etc/apps/TA-eSteamer directory. Turns out splunk installed this but its root:root. I changed it to splunk:splunk and 755 like all the other apps. DOesn't appear to cause any harm and lets me in.
5. Edit the splencore.sh for the home directory.
6. Copy in the client.pkcs12 and
7. Run the sudo ./splencore.sh test.
8. Run the commands for the openssl that .splencore.sh says to run. No issues here. Generates the files in the encore directory with the IP of the FMC.
9. Run the sudo ./splencore.sh test again.
Here is where I get the error I can not fix or get past. Below you will see I'm using the pyton2.7 where the latest splunk uses python 3.7. I changed this in the .splencore.sh pybin var because I saw others stating 2.7 was needed. It however didn't fix anything for me.
ERROR:root:code for hash sha1 was not found.
Traceback (most recent call last):
File "/opt/splunk/lib/python2.7/hashlib.py", line 147, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/opt/splunk/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
raise ValueError('unsupported hash type ' + name)
ValueError: unsupported hash type sha1
Traceback (most recent call last):
File "./estreamer/preflight.py", line 34, in <module>
import estreamer.crossprocesslogging
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/__init__.py", line 28, in <module>
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 23, in <module>
import ssl
File "/opt/splunk/lib/python2.7/ssl.py", line 98, in <module>
import _ssl # if we can't import it, let the error propagate
ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory
Any help would be appreciated. I've rebuilt this thing so many times and tried everything I can think of.
I've been having the same issue, slightly different error, but the same "ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory" at the end.
try setting the LD_LIBRARY_PATH, https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSpl... - section 4.3