All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cisco eStreamer eNcore for Splunk: Status Continually "stopped"

sdtruesdale
Engager
‎08-17-2017 12:01 PM

Hello,

I recently installed the new Cisco eStreamer eNcore Add-on for Splunk and I am having an issue. I installed the TA on the heavy forwarder per the Cisco documentation. However, I am not ingesting logs and according the quick query (sourcetype="cisco:estreamer:status") the eNcore TA is in a stopped status (see screenshot below):

alt text

As well, with another query (sourcetype=cisco:estreamer:log) it seems there is a communication issue between the TA and the Cisco Firepower Management Center (see below screenshot):

alt text

Can anyone assist me as to why the encore TA is not starting and/or there are communication issues with the FMC? I have verified it is enabled, and configured on both the Splunk side and the Cisco Firepower Management Center, which by-the-way is on version 6.2.0.1. I verified the certificate file is in place, generated on the Cisco Firepower Management Center, and the password is correct.

Thanks in advance!

Preview file
1 KB
Preview file
1 KB
Reply

molinarf
Communicator
‎05-01-2018 12:13 AM

There was no answer to this and I am having a similar problem. In the /opt/splunk/etc/apps/TA-eStreamer/bin/encore there are two conf files. The first is default.conf and the second is estreamer.conf. In the file estreamer.conf, I made sure that the server information under subcription which is at the bottom of the file.
I entered a valid IP for the line "host": "1.2.3.4" and a valid pkcsFilepath to where the client.pkcs12 certificate it is.
I still had problems with the estreamer being stopped.
The default one has the same information and I can't get the estreamer to start. So I input the same information into the default.conf and estreamer still isn't working.

I hope someone has an answer to this problem.

0 Karma
Reply

sastrach
Path Finder
‎08-23-2017 03:30 AM

This error means that the TA has not been configured yet. Specifically, if the config file has an FMC host which is either empty or = "1.2.3.4" then that will result in this error.

Have you run through the setup screen from Manage Apps > Cisco eStreamer eNcore for Splunk > Setup?

If so - did you get any errors? If not, give that a go.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...