Installed and configured Cisco Estreamer Encore add on for Splunk (3.5.8) both on the Firepower FMC and on my Splunk heavy forwarder (Splunk v 7.2.7). I can get estreamer-status and estreamer-logs to come into Splunk but not estreamer-data (the most important piece). After I configure eStreamer add on I keep getting the following error : "EncoreException : unable to read password from console." If a look a little deeper I find "Unable to process pkcs12 file".
I have deleted and remade the FMC certificate 6 or 7 times. I have given it a password, and not given it a password. The result is the same. Does anyone have a similar problem or better yet a good solution for this?
I was able to solve it on my box. We had FIPS enabled which was causing the issue when it tried to create the key pair.
the error "EncoreException : unable to read password from console." is the error that the script throws but it's not the actual error.
The error comes from crypto.py in the estreamer folder. we ran just the select function that throws the error.
run the script in the directory with client.pkcs12 cert
import OpenSSL.crypto with open( "client.pkcs12", 'rb' ) as pkcs12File: data = pkcs12File.read() try: pkcs12 = OpenSSL.crypto.load_pkcs12( data, password )
This will give you the actual error, which is how we found out FIPS was the issue.
We loaded the app into a test environment (that had no FMC), and copied the client file to it and performed the the set up through the GUI. Once it created the keypairs, we just copied those to our actual instance and the connection was made.
I hope this helps.
Digging even further I am seeing the following errors on my heavy forwarder when I attempt to start the splencore process :
139742838814376:error:060A60A3:digital envelope routines:FIPSCIPHERINIT:diabled for fips:fipsenc.c:142:
139742838814376:error:06074078: digital envelope routines:EVPPBECipherInit:keygen failure:evppbe.c:197:
139742838814376:error:23077073:PKCS12 routines:PKCS12pbecrypt:pkcs12 algo ciperinit error:p12decr.c:87:
Each time I attempt to start the eStreamer process it tries to process the pkcs file. Then I get the errors I listed above (this issue is detailed in splunk answers : https://answers.splunk.com/answers/667021/splunk-estreamer-encore-client-doesnt-start.html#comment-6...).
Yet the thread doesn't have a definitive answer. It suggests an issue with the server version of Python. I'll keep digging, but if anyone has an answer I'd appreciate any help.
Path to certificate : [SPLUNK HOME]/etc/apps/TA-eStreamer/bin/encore
File has been renamed to "client.pkcs12"
Currently, the cert has a password, but the error persists.
Thanks for any help you can give.