All Apps and Add-ons

Cisco eStreamer eNcore issues

Communicator

New issue for me after getting back to try and make this work.

1) I am not able to get splencore.sh to start. It fails at trying to process the pkcs12 file saying that there is a possible password problem. Not using any password.
2) No configuration log is generated.

Currently using Splunk 7.1.3 and FMC 6.2.3.5

0 Karma

Builder

We have a developer looking at outstanding issues currently.

CLI version 3.5.4 is here BTW: https://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight

0 Karma

Communicator

The more I dig, it seems that eStreamer (slencore.sh) is assuming that the server is running Python 2.7 in its OS, rather than picking it up from Splunk. When I have looked at the encore.sh script, in the init section, it actually goes out and looks for Python 2.7 'pythonVersion='pybin -V 2>&1 | grep "Python 2.7"'. However, that may not actually get it to use Python 2.7 located in /opt/splunk/bin. Is there a way to change the variable pybin="python" to the actual location of Splunk's python, then it might work.

0 Karma

Communicator

lakshman,

I tried what you posted. This is what it now looks like

basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore"
datafilepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/data"
isRunning=0

I modified the clean statement so that it looks like what you have.

I still ended up with the same error... "/etc/apps/TA-eStreamer/bin/encore "doesn't exist"

I had updated to TA-eStreamer 3.5.4 hoping that the problem would clear, but it doesn't.
Today, I will try to update Splunk to 7.2.1 hoping for better results, but not holding my breath.

Let me know if I did anything wrong. I can provide the splencore.sh file if you would like to see it.

Thanks for the help.

0 Karma

SplunkTrust
SplunkTrust

I had seen similar issue with TA-eStreamer v3.0. So, I fixed the issue by updating the splencore.sh file: [ DougHard can review and add to next version of the TA]. It seems the script is unable to resolve the path, so I had to update them explicitly.

basepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore"
datafilepath="$SPLUNK_HOME/etc/apps/TA-eStreamer/data"

Also, on the clean() stanza, i had to update it to allow the files per available disk space

clean() {
#configure retention period as needed
if [ "$(ls -A $datafilepath)"]
then
find ../../data/encore*.log -type f -mmin +120 -delete
fi
}

Hope this helps.

0 Karma

Communicator

lakshman

After all that, I decided to change the relative path "$SPLUNK_HOME/etc/apps/TA-eStreamer/bin/encore" to the explicit path "/opt/splunk/etc/apps/TA-eStreamer/bin/encore" and I was able to run the test even through it failed. Unfortunately, it started with this message: "This software is currently only compatible with Pyhon 2.7. You are running 2.6.6. I have Splunk running on RHEL 6.9 It started the diagnostic portion anyway, and when it wanted the password for the client.pkcs12, there was this message:
/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/crossprocesslogging/baseClient.py:35: DeprecationWarning: BaseExceptionmessage has been deprecated as of Python 2.6.

Any ideas?

0 Karma

Builder

you have to set $SPLUNK_HOME to the path of where splunk is installed (usually opt/splunk, depends on OS)

Is this where splunk is installed? Did you move to Python 2.7?

0 Karma

SplunkTrust
SplunkTrust

try to upgrade to python 2.7 and go through operations guide to ensure you meet all pre-reqs. https://community.cisco.com/t5/security-documents/estreamer-encore-operations-guide-3-0/ta-p/3193939

0 Karma

Communicator

I have returned to working on this issue. I am now running Splunk 7.2.0 and FMC 6.3. I uninstalled eStreamer eNcore and reinstalled. I used 3.5.3. I still have the same issue when trying to get eNcore to work. I did notice when I was using the CLI something different that may be a reason why this is failing. When I ran ./splencore.sh test, the error "/etc/apps/TA-eStreamer/bin/encore "doesn't exist". I can see the directory. I opened up the file and found that line 12 establishes the variable for basepath="$SPLUNk_HOME/et/apps/TA-eStreamer/bin/encore".

This is lines 25-32
init() {
# change pwd
if [ -d $basepath ]
then
cd $basepath

else
echo "\"$basepath\" does not exist"
exit $EXIT_CODE_ERROR

The above if/else statements are also found in the configure.sh script.

Anyone have any ideas how to correct this?

Thank you.

0 Karma

Builder

Did you get past the password issue? You need authenticate the TA with the FMC or it will not work.

0 Karma

Communicator

update: I am now running Splunk 7.2.0.

0 Karma