All Apps and Add-ons

Cisco eStreamer for Splunk: How to resolve errors such as "INET6 configuration failederror:140E0197:SSL routines:SSL_shutdown"?

Builder

We are running Cisco eStreamer for Splunk version 2.2.2. We are currently seeing an issue with the eStreamer client on an Ubuntu 16.04 system running Perl v5.22.1.

Every time we restart Splunk we get a few events and then they just stop coming in. Some of the errors from the debug log are below. This error is weird because we don't have ipv6 enabled:

Can't connect to 10.15.130.90 port 8302: IO::Socket::INET6 configuration failederror:140E0197:SSL routines:SSL_shutdown:shutdown while in init

We also are seeing the following which tend to line up with exactly when events stop coming in.

Jun 23 14:55:35 [19054] Entering Event Loop
Use of uninitialized value in hash element at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1529.
Use of uninitialized value $value in substitution (s///) at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1716.
Use of uninitialized value $value in pattern match (m//) at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1994.
Use of uninitialized value $value in string eq at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1994.
Use of uninitialized value $value in concatenation (.) or string at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1995.
Use of uninitialized value $value in substitution (s///) at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1716.
Use of uninitialized value $value in pattern match (m//) at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1994.
Use of uninitialized value $value in string eq at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1994.
Use of uninitialized value $value in concatenation (.) or string at /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl line 1995.
Jun 23 14:55:37 [18687] Waiting for more logs
Undefined subroutine &SFStreamer::verbose called at /opt/splunk/etc/apps/eStreamer/bin/lib/SFStreamer.pm line 2276.
Jun 23 14:55:38 [19054] Cleaning Up

Any help would be greatly appreciated. We have the eStreamer client running successfully on 4 other systems. 2 of those systems are running Ubuntu 12.04 and Perl v5.14.2 and the other 2 are running Ubuntu 14.04 and Perl v5.18.2.

Thank you!
Ryan

0 Karma

Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma