Getting Data In

Cisco Security Cloud Estreamer Issues

Rafaelled
Explorer

Good Afternoon,

I have been at war with the estreamer app for 2 weeks and I can not get this to work. Below is the current specs:

RHEL 9.5 With FIPS
Splunk 9.4.4 HF
FMC 7.4.2.4

Cisco Security Cloud 3.6.1

So I had issues with fips and the cert, i was able to fix that. I then ran into network connectivity issues and that was resolved. I can openssl with the estreamer cert to the FMC on port 8302 and have no issues connecting to it with TLS. The issue occurs when I set up the estreamer inputs on the Cisco Security Cloud app. When I put in the password and all the information the input fails and below are the logs of the issue. I cant seem to find anything online on this issue with estreamer.

Any help would be great, Thank you

2026-02-17 12:50:38,776 INFO [collect_events] validate_connection():195 Get test chunk of events for input test
2026-02-17 12:50:38,777 INFO [estreamer_connection] get_events():145 Getting events
2026-02-17 12:50:38,777 INFO [collect_events] validate_connection():205 Clean up after eStreamer validation process: test
2026-02-17 12:50:38,778 INFO [collect_events] validate_connection():211 Delete certificate files
2026-02-17 12:50:38,778 ERROR [sbg_fw_estreamer_input] validate_input():180 instance=test, error_type=Connection, error_code=error, error_detail=Struct error occurred, probably invalid format of data, traceback=unpack requires a buffer of 2 bytes, filter_value=sbg_fw_estreamer_input.py,

 

Labels (2)

Darthsplunker
Path Finder

I came across this issue and didnt find a solution anywhere.  However, i did manage to fix it with help from AI.

If the issue is the Cisco Security Cloud App, not taking the cert and password you just created from the FMC and just returning a generic non helpful error,  while Splunk is installed on a FIPS compliant system, then read on.. 

The problem lies in that the FMC encrypts the cert with a weak encryption that is NOT FIPS compliant.  Therefore the password protected cert from the FMC must be prepped before use. 

1.) locate a non FIPS enabled linux machine, or disable FIPS on your box.  Either way is fine, but this is mandatory.
2.) Decrypt the cert using the password you originally created the cert with.  Obviously change "originalcert.pkcs12"  to whatever the name of the cert that you downloaded from FMC.

openssl pkcs12 -in originalcert.pkcs12 -out unencrypted.pem

3.)Re-encrypt the cert with password with FIPS compliant encryption. I just used the same password to encrypt this.

openssl pkcs12 -certpbe PBE-SHA1-3DES -export -in unencrypted.pem -out FIPS_compliant.p12

 4?) you have to rename the compliant cert .pkcs12 as thats what the cisco cloud security app is looking for.  Its possible you can just use the .pkcs12 extension instead of the .p12 i had in there.  But i didnt test that, and am just writing down what exactly i did. 

Now your cert should be compliant and the app should accept it..  
There maybe an easier/better way to fix this, but this is just how i did it.  Let me know if there is a better way.

Hope this helps!

0 Karma

ecentonze
Engager

I am hitting this same issue with FMC version 7.6.5 and Splunk 9.4.2

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...