All Apps and Add-ons

Cisco eStreamer eNcore for Splunk: Status Continually "stopped"

sdtruesdale
Engager

Hello,

I recently installed the new Cisco eStreamer eNcore Add-on for Splunk and I am having an issue. I installed the TA on the heavy forwarder per the Cisco documentation. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):

alt text

As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):

alt text

Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.

Thanks in advance!

molinarf
Communicator

There was no answer to this and I am having a similar problem. In the /opt/splunk/etc/apps/TA-eStreamer/bin/encore there are two conf files. The first is default.conf and the second is estreamer.conf. In the file estreamer.conf, I made sure that the server information under subcription which is at the bottom of the file.
I entered a valid IP for the line "host": "1.2.3.4" and a valid pkcsFilepath to where the client.pkcs12 certificate it is.
I still had problems with the estreamer being stopped.
The default one has the same information and I can't get the estreamer to start. So I input the same information into the default.conf and estreamer still isn't working.

I hope someone has an answer to this problem.

0 Karma

sastrach
Path Finder

This error means that the TA has not been configured yet. Specifically, if the config file has an FMC host which is either empty or = "1.2.3.4" then that will result in this error.

Have you run through the setup screen from Manage Apps > Cisco eStreamer eNcore for Splunk > Setup?

If so - did you get any errors? If not, give that a go.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...