All Apps and Add-ons

Cisco eStreamer eNcore for Splunk: Status Continually "stopped"

sdtruesdale
Engager

Hello,

I recently installed the new Cisco eStreamer eNcore Add-on for Splunk and I am having an issue. I installed the TA on the heavy forwarder per the Cisco documentation. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):

alt text

As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):

alt text

Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.

Thanks in advance!

molinarf
Communicator

There was no answer to this and I am having a similar problem. In the /opt/splunk/etc/apps/TA-eStreamer/bin/encore there are two conf files. The first is default.conf and the second is estreamer.conf. In the file estreamer.conf, I made sure that the server information under subcription which is at the bottom of the file.
I entered a valid IP for the line "host": "1.2.3.4" and a valid pkcsFilepath to where the client.pkcs12 certificate it is.
I still had problems with the estreamer being stopped.
The default one has the same information and I can't get the estreamer to start. So I input the same information into the default.conf and estreamer still isn't working.

I hope someone has an answer to this problem.

0 Karma

sastrach
Path Finder

This error means that the TA has not been configured yet. Specifically, if the config file has an FMC host which is either empty or = "1.2.3.4" then that will result in this error.

Have you run through the setup screen from Manage Apps > Cisco eStreamer eNcore for Splunk > Setup?

If so - did you get any errors? If not, give that a go.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...