Re: Cisco eStreamer eNcore issues

molinarf · ‎10-23-2018

New issue for me after getting back to try and make this work.

1) I am not able to get splencore.sh to start. It fails at trying to process the pkcs12 file saying that there is a possible password problem. Not using any password.
2) No configuration log is generated.

Currently using Splunk 7.1.3 and FMC 6.2.3.5

douglashurd · ‎12-17-2018

We have a developer looking at outstanding issues currently.

CLI version 3.5.4 is here BTW: https://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight

molinarf · ‎12-17-2018

The more I dig, it seems that eStreamer (slencore.sh) is assuming that the server is running Python 2.7 in its OS, rather than picking it up from Splunk. When I have looked at the encore.sh script, in the init section, it actually goes out and looks for Python 2.7 'pythonVersion='pybin -V 2>&1 | grep "Python 2.7"'. However, that may not actually get it to use Python 2.7 located in /opt/splunk/bin. Is there a way to change the variable pybin="python" to the actual location of Splunk's python, then it might work.

molinarf · ‎12-13-2018

lakshman,

I tried what you posted. This is what it now looks like

basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore"
datafilepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/data"
isRunning=0

I modified the clean statement so that it looks like what you have.

I still ended up with the same error... "/etc/apps/TA-eStreamer/bin/encore "doesn't exist"

I had updated to TA-eStreamer 3.5.4 hoping that the problem would clear, but it doesn't.
Today, I will try to update Splunk to 7.2.1 hoping for better results, but not holding my breath.

Let me know if I did anything wrong. I can provide the splencore.sh file if you would like to see it.

Thanks for the help.

lakshman239 · ‎12-13-2018

I had seen similar issue with TA-eStreamer v3.0. So, I fixed the issue by updating the splencore.sh file: [ DougHard can review and add to next version of the TA]. It seems the script is unable to resolve the path, so I had to update them explicitly.

basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore"
datafilepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/data"

Also, on the clean() stanza, i had to update it to allow the files per available disk space

clean() {
#configure retention period as needed
if [ "$(ls -A $datafilepath)"]
then
find ../../data/encore*.log -type f -mmin +120 -delete
fi
}

Hope this helps.

molinarf · ‎12-13-2018

lakshman

After all that, I decided to change the relative path "$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore" to the explicit path "/opt/splunk/etc/apps/TA-eStreamer/bin/encore" and I was able to run the test even through it failed. Unfortunately, it started with this message: "This software is currently only compatible with Pyhon 2.7. You are running 2.6.6. I have Splunk running on RHEL 6.9 It started the diagnostic portion anyway, and when it wanted the password for the client.pkcs12, there was this message:
/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/crossprocesslogging/baseClient.py:35: DeprecationWarning: BaseExceptionmessage has been deprecated as of Python 2.6.

Any ideas?

douglashurd · ‎02-06-2019

you have to set $SPLUNK_HOME to the path of where splunk is installed (usually opt/splunk, depends on OS)

Is this where splunk is installed? Did you move to Python 2.7?

lakshman239 · ‎12-13-2018

try to upgrade to python 2.7 and go through operations guide to ensure you meet all pre-reqs. https://community.cisco.com/t5/security-documents/estreamer-encore-operations-guide-3-0/ta-p/3193939

molinarf · ‎12-12-2018

I have returned to working on this issue. I am now running Splunk 7.2.0 and FMC 6.3. I uninstalled eStreamer eNcore and reinstalled. I used 3.5.3. I still have the same issue when trying to get eNcore to work. I did notice when I was using the CLI something different that may be a reason why this is failing. When I ran ./splencore.sh test, the error "/etc/apps/TA-eStreamer/bin/encore "doesn't exist". I can see the directory. I opened up the file and found that line 12 establishes the variable for basepath="$SPLUNk_HOME/et/apps/TA-eStreamer/bin/encore".

This is lines 25-32
init() {
# change pwd
if [ -d $basepath ]
then
cd $basepath

else
echo "\"$basepath\" does not exist"
exit $EXIT_CODE_ERROR

The above if/else statements are also found in the configure.sh script.

Anyone have any ideas how to correct this?

Thank you.

douglashurd · ‎11-07-2018

Did you get past the password issue? You need authenticate the TA with the FMC or it will not work.

molinarf · ‎10-24-2018

update: I am now running Splunk 7.2.0.

plymalebl · ‎12-02-2022

I know this is an old thread, but just ran into this in my own instance running Splunk 8.2.8 and Cisco eStreamer eNcore for Splunk (3.7.4). The problem is that in the encore.conf file it is using a different file path than what is in the splencore.sh for datapath. That is why the clean-up script isn't working properly.

"uri": "relfile:///../../data/encore.{0}.log" } } ],

The file location is different than what is in the default.conf and is causing it to save data in the full path of $SPLUNK_HOME/etc/apps/TA-eStreamer/data rather than the clean hardcoded path in the app of /opt/splunk/etc/apps/TA-eStreamer/bin/encore/data

Hopefully this will help someone else get their system cleaning data properly. Either adjust the value in encore.conf or adjust the clean path in splencore.sh to the appropriate location.

Cisco eStreamer eNcore issues

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk