All Apps and Add-ons

eStreamer for Splunk error outputting keys and certificates

molinarf
Communicator

Can anyone help me? I have been trying to resolve this problem for weeks. Although the configuration log changed when I ended up rebuilding both the Splunk and the FMC server.

The eStreamer encore app always shows disabled. I have checked /opt/splunk/etc/TA=eStreamer/bin/encore and the configuration log shows:
Splencore not running
Error outputting keys and certificates with the following errors
digitial envelope routines:FIPS_CIPHERINIT: disabled for fips:fips_enc.c:142
digitial envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:197
PKCS12 routines:12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87
PKCS12 routines:PKCSS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:138

The estreamer log has the error: EncoreException: Uable to read password from console. Are you running as a background process?

I get the same errors whether I use a password or not for the certificate I download from the Firepower Management Center.

0 Karma
1 Solution

rsanders30
Path Finder

Hey moinarf,

I am no python guru either, but it sounds like you have a python library missing- in this case, argparse, hence it can't run the script. Are you using a Linux or Windows based Splunk? Take a look at the pre-requisites section of the Cisco guide. It contains instructions for installing the python dependencies based on your environment (Windows or Linux). Hope this helps.

eStreamer eNcore Operations Guide v3.0

View solution in original post

0 Karma

molinarf
Communicator

Finally got back to working on this. I am still having issues with it processing the pcks12 file, but I fixed the argparse file issue.
Here is what I did:
1) copied a full iso of RHEL6.9 on the Splunk Server
2) mounted it into a directory /mnt/iso
3) from the Packages directory ran yum install pyton-argpase-

0 Karma

rsanders30
Path Finder

Hey moinarf,

I am no python guru either, but it sounds like you have a python library missing- in this case, argparse, hence it can't run the script. Are you using a Linux or Windows based Splunk? Take a look at the pre-requisites section of the Cisco guide. It contains instructions for installing the python dependencies based on your environment (Windows or Linux). Hope this helps.

eStreamer eNcore Operations Guide v3.0

0 Karma

molinarf
Communicator

rsanders30,

I am running Splunk in a Linux (RHEL) environment. I did follow the eStreamer eNcore Operations Guide v3.0. and in the section Pre-requisites, it states that if:
1) running the Cisco eSreamer eNcore for Splunk
2) provided that the default installation of Splunk which includes Python 2.7 and OpenSSL.
then no further action is required.

Now that I look at it again, I am beginning to wonder a few things that I need to look at. I'll post back after I verify like I am doing the CLI install of this app.

0 Karma

molinarf
Communicator

Verified the pre-requisites...

python is located /opt/splunk/bin/python2.7
OpenSSL is located in /opt/splunk/bin/openssl

If Python is install, then I should have the argparse module installed too!

At this point, I don't know if I should go to Cisco support or Splunk support.

0 Karma

rsanders30
Path Finder

Molinarf, were you able to resolve the issue? I am curious to know what the solution was.

0 Karma

molinarf
Communicator

No still working on it. I removed the app from Splunk and will re-install. I have another post
Splunk eStreamer eNcore client doesn't start at this link https://answers.splunk.com/answers/667021/splunk-estreamer-encore-client-doesnt-start.html#comment-6.... I am working with a Sam Strathan who wrote some of the python scripts that this app runs. He suggested I try to manually split the keys (public and private) out of the certificate. I am not sure if I'll get to it today, but I will certainly give it a try.

0 Karma

rsanders30
Path Finder

molinarf, i read your other post. Have you tried recreating a NEW cert with a password? Once you do that, you can try running the test again unless you continue to get the argparse error.

0 Karma

molinarf
Communicator

Thanks for following up. I tried to recreate the FMC certificate with and without a password. I even went so far as to change the IP addresses of the FMC, SFRs and their gateways from the management network to a free space on the data network with the same problems. So usually at this point so that I can do my work, I remove eStreamer eNcore and return Splunk to the previous state to clean up and start fresh.

If you have any other ideas, it would be greatly appreciated.

0 Karma

rsanders30
Path Finder

When you tried to recreate the cert, did you try to run another test? I had the same issue, and ran a test after I recreated the cert. It then prompted me to reprocess the cert, and to enter the password. It worked after that. For some reason in the GUI, the re-process doesn't work.

0 Karma

molinarf
Communicator

Sure did try that. I tried so many times, I had certs that were named with extensions like 12.pkcs12. Everything gets so messed up when I work on this, I remove the app and the add-on as I said, like a clean start. I use this time to get away from the frustration and catch up on some other work.

I will probably try again tomorrow or late this afternoon. I just don't know which IP address scheme I should use. To have everything on the data network or to leave it on the management network.

0 Karma

molinarf
Communicator

rsanders30

Thanks for that update. The change that you posted to edit the splencore.sh file got it so where I could run ./splencore.sh test and start. The problem now is that it fails:

Traceback (most recent call last):
File "./estreamer/preflight.py", line 32 in
import argparse
ImportError: No module named arparse

I am no scholar when it comes to Linux and Python, so it leaves me confused.

If you can provide some direction, I would greatly appreciate it.

I used the http://www.thesecurityblogger.com/configuring-cisco-firepower-estreamer-with-splunk-7/ as my guide to configure this. I also have some other problems too, but I need to take it one by one.

0 Karma

rsanders30
Path Finder

So I had the same error, "Unable to read password from console. Are you running as a background process?"
Here's what I did to troubleshoot:

  • CLI into the Splunk server where the TA-eStreamer app is located.
  • Go to "cd /opt/splunk/etc/apps/TA-eStreamer/bin" In the splencore.sh, you may need to edit "#SPLUNK_HOME=/opt/splunk" by removing the #, or set it to Splunk directory.
  • Run the script: "./splencore.sh test"
  • It may tell you that the certificate needs the password. Enter the password if prompted.
  • Once completed, end the script.
  • Check your eStreamer Summary Dashboard if it's running.
  • If disabled, go back to the Splunk eStreamer app setup page and try reprocessing the certificate.

This is how I got mine to work. Good luck!

Also, you can check out this page for a step by step install: http://www.thesecurityblogger.com/configuring-cisco-firepower-estreamer-with-splunk-7/

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...