Good Afternoon,
I have been at war with the estreamer app for 2 weeks and I can not get this to work. Below is the current specs:
RHEL 9.5 With FIPS
Splunk 9.4.4 HF
FMC 7.4.2.4
Cisco Security Cloud 3.6.1
So I had issues with fips and the cert, i was able to fix that. I then ran into network connectivity issues and that was resolved. I can openssl with the estreamer cert to the FMC on port 8302 and have no issues connecting to it with TLS. The issue occurs when I set up the estreamer inputs on the Cisco Security Cloud app. When I put in the password and all the information the input fails and below are the logs of the issue. I cant seem to find anything online on this issue with estreamer.
Any help would be great, Thank you
2026-02-17 12:50:38,776 INFO [collect_events] validate_connection():195 Get test chunk of events for input test
2026-02-17 12:50:38,777 INFO [estreamer_connection] get_events():145 Getting events
2026-02-17 12:50:38,777 INFO [collect_events] validate_connection():205 Clean up after eStreamer validation process: test
2026-02-17 12:50:38,778 INFO [collect_events] validate_connection():211 Delete certificate files
2026-02-17 12:50:38,778 ERROR [sbg_fw_estreamer_input] validate_input():180 instance=test, error_type=Connection, error_code=error, error_detail=Struct error occurred, probably invalid format of data, traceback=unpack requires a buffer of 2 bytes, filter_value=sbg_fw_estreamer_input.py,
I came across this issue and didnt find a solution anywhere. However, i did manage to fix it with help from AI.
If the issue is the Cisco Security Cloud App, not taking the cert and password you just created from the FMC and just returning a generic non helpful error, while Splunk is installed on a FIPS compliant system, then read on..
The problem lies in that the FMC encrypts the cert with a weak encryption that is NOT FIPS compliant. Therefore the password protected cert from the FMC must be prepped before use.
1.) locate a non FIPS enabled linux machine, or disable FIPS on your box. Either way is fine, but this is mandatory.
2.) Decrypt the cert using the password you originally created the cert with. Obviously change "originalcert.pkcs12" to whatever the name of the cert that you downloaded from FMC.
openssl pkcs12 -in originalcert.pkcs12 -out unencrypted.pem3.)Re-encrypt the cert with password with FIPS compliant encryption. I just used the same password to encrypt this.
openssl pkcs12 -certpbe PBE-SHA1-3DES -export -in unencrypted.pem -out FIPS_compliant.p12 4?) you have to rename the compliant cert .pkcs12 as thats what the cisco cloud security app is looking for. Its possible you can just use the .pkcs12 extension instead of the .p12 i had in there. But i didnt test that, and am just writing down what exactly i did.
Now your cert should be compliant and the app should accept it..
There maybe an easier/better way to fix this, but this is just how i did it. Let me know if there is a better way.
Hope this helps!
I am hitting this same issue with FMC version 7.6.5 and Splunk 9.4.2