I using the sourcefire IPS(ver 6.1). so i using sourcefire app(eNcore APP and add-on)
I installed eNcore add-on in my heavy forwarder server.
I copied my ips's certification to forwarder server(/opt/splunk/etc/apps/TA-estreamer/bin/encore)
I modified certification files name like client.pkcs12
I configured eNcore in forwarder web-gui. ex) FMC IP, enable, certification password end so on.(picture1)
I think that i configured everything.
but, eNcore daemon is up and down repeatly.(picture2)
so i can not receive whole data from ips(of course somtimes splunk receive data from ips.)(picture3)
How can i fix this?