Hello,
I recently installed the new Cisco eStreamer eNcore Add-on for Splunk and I am having an issue. I installed the TA on the heavy forwarder per the Cisco documentation. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):
As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):
Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.
Thanks in advance!
There was no answer to this and I am having a similar problem. In the /opt/splunk/etc/apps/TA-eStreamer/bin/encore there are two conf files. The first is default.conf and the second is estreamer.conf. In the file estreamer.conf, I made sure that the server information under subcription which is at the bottom of the file.
I entered a valid IP for the line "host": "1.2.3.4" and a valid pkcsFilepath to where the client.pkcs12 certificate it is.
I still had problems with the estreamer being stopped.
The default one has the same information and I can't get the estreamer to start. So I input the same information into the default.conf and estreamer still isn't working.
I hope someone has an answer to this problem.
This error means that the TA has not been configured yet. Specifically, if the config file has an FMC host which is either empty or = "1.2.3.4" then that will result in this error.
Have you run through the setup screen from Manage Apps > Cisco eStreamer eNcore for Splunk > Setup
?
If so - did you get any errors? If not, give that a go.