I have installed the Estreamer for Splunk app and configured it. The PKCs12 certificate is applied, all perl modules are installed. The estreamer.pl ran without errors. The app itself is configured to reach the defense center and I have tested the network connection between the defence center and the splunk server. Everything is working. I enabled the client and restarted splunk and now I get the following client status:
"ERROR: Problems starting the eStreamer client"
I have rechecked all my settings and have not found a reason why the client will not start.Has anyone else encountered this issue?
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
eStreamer eNcore
https://splunkbase.splunk.com/app/3662/
eNcore Dashboard
https://splunkbase.splunk.com/app/3663/
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
eStreamer for Splunk 1.0.4 should be getting released shortly. The big change in this version is that the error messages produced by the client will be represented in the Client Status messages in the Splunk UI. This should definitely make debugging the root cause of a configuration issue easier. Keep an eye out, folks!
Thanks, the_wolverine. I already had that installed in this case.
It turns out the pkcs12 must have had the password entered incorrectly. So we reissued it, changed the permissions on the estreamer.conf to 777 and installed the pkcs12 in the /eStreamer/bin location, restarted Splunk and the status changed to started. Now the logs are coming in.
I tried putting the cert in a custom directory - no luck. Followed your suggestion to put cert inside $SPLUNK_HOME/etc/apps/eStreamer/bin and changing permission - worked great! In my opinion the docs should just state to put it there. Appreciate you making this public. Thank you!
I agree. It took a bit of digging to even get to that. The error messages should indicate the root cause.
If the password is incorrect, I think you should see errors to that affect. If not, then the script should be updated. As it stands, it seems the app could use some modifications to improve the user experience.
We encountered this issue after installing the eStreamer app and discovered that we were missing the NetAddr::IP module (which is currently an undocumented dependency):
Download the following package and install per the instructions: http://search.cpan.org/CPAN/authors/id/M/MI/MIKER/NetAddr-IP-4.072.tar.gz
Also, manually running the estreamer script at CLI will give you additional hints as to what exactly the issue is.
Unfortunately the 'SFPkcs12 : Unable to get certificate' error message is an error coming out of the Sourcefire SDK code that is somewhat vague. It usually means the cert password used is incorrect.
The Help in 1.0.4 (being released soon), as well as the documentation on the Splunk app portal, now includes the module in the list of dependencies. Sorry for the trouble.
Yes, I'm encountering the same issue.