All Apps and Add-ons

How to configure a second instance of Cisco eStreamer for Splunk?

ChangSeun
Engager

Hi,

I have several Defense Center (without Master Defense Center) and therefore I am trying to run multiple instances of Cisco eStreamer for Splunk on my Splunk server to interface with all my DCs.

Here's what I did:

So far I have duplicated eStreamer original app directory with a different name like "eStreamer2". I edited local/estreamer.conf with correct IP and pks path.

I have created a new index associated to the eStreamer2 app so I can search logs related to a specific DC. The index looks into $SPLUNK_HOME/etc/apps/eStreamer2/log folder for logs.

I changed the index field in default/inputs.conf with the name of the index created before, changed the path on monitor section and left everything else the same.

I changed the paths in default/indexes.conf to match newly created index name.

I changed definition field in default/macros.conf to match newly created index name.

I start the client by running estreamer_client.pl -c /opt/splunk/etc/apps/eStreamer2/local/estreamer.conf command.

I see logs flowing in the CLI but nothing is populating the $SPLUNK_HOME/etc/apps/eStreamer2/log folder therefore logs are not indexed.

What did I forget ? Where do you specify to the script the path to put logs in ?

Regards,

0 Karma

douglashurd
Builder

The Splunk TA only supports a single FMC per instance. There are plans to make it more HA friendly supporting a primary and secondary with event de-duplication but that is not committed to a specific date yet.

You need to run a separate instance for each FMC for now.

0 Karma

douglashurd
Builder

this new version will support multiple FMCs. See below:

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

sshukla2505
New Member

@Douglashurd - Hello. I went through the specifics of "Cisco eStreamer eNcore Add-On for Splunk" to find out how can I connect multiple FMCs, but to my bad, I couldn't get one. Please could you assist me with any possible procedure or explanation to ow to achieve this.

0 Karma

ChangSeun
Engager

Not really a solution but a workaround, start eStreamer client with this command

in your /opt/splunk/etc/apps/eStreamer2/bin folder :
estreamer_client.pl -c /opt/splunk/etc/apps/eStreamer2/local/estreamer.conf -d -l /opt/splunk/etc/apps/eStreamer2/log/eStreamer2.log

  • -d to start client as daemon (so it doesn't get killed with your session's ending).
  • -l with path/to/log/directory/file_name_format.log

Put that in rc.d or launch it manually and it should do it until a better solution is found.

Regards,

0 Karma

thambisetty_bal
Path Finder

Thanks for you workaround.

I would like to override the log path of estreamer , I have executed the below command:

/opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl -d -c /opt/splunk/etc/apps/eStreamer/local/estreamer.conf -l /var/splunk/eStreamer/log/estreamer.log

the above is creating new process and old process still executing and storing the logs in old path.

please let me know how to override old process with new process has new log file path.

0 Karma

ChangSeun
Engager

Hi, so, if you already changed the path in conf files, i guess you just need to kill the old process and start the new one with the workaround. You'll need to repeat the operation everytime you restart Splunk though or script it.

0 Karma

ChangSeun
Engager

@douglashurd do you have any idea on how to change the path where the perl script puts the log files ? Changing it from eStreamer app folder to eStreamer2 app folder.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...