Getting Data In

Splunk eStreamer eNcore client doesn't start

molinarf
Communicator

I have been trying to get the Cisco eStreamer eNcore app to work and since rebuilding the FMC host, and using a routable IP instead of a management IP. The eStreamer Client Status shows Disabled. Here is the output of the config.log

/opt/splunk/etc/apps/TA-eStreamer/bin/encore
You have not configured your FMC Host
Configuring
Removing old keys
Recreating keys
MAC verified OK
Error outputting keys and certificates
139742838814376:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:diabled for fips:fips_enc.c:142:
139742838814376:error:06074078: digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:197:
139742838814376:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algo ciperinit error:p12_decr.c:87:
139742838814376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

I don't know what the error means that I have not configured the FMC Host. Are the errors related to the problem of the eStreamer stuck in disabled? The eStreamer.log file output shows:

estreamer.client INFO eNcore version: 3.0.0
estreamer.client INFO Python version: 2.7.14 (default, April 12 2018) \n[GCC 5.3.0]
estreamer.client INFO Platform version: Linux-2.6.696.e16.x86_64-x86_64-with-rehat-6.9-Santiago
estreamer.client INFO Starting client (pid=28587).
estreamer.client INFO Sha256:
Diagnostics INFO Check certificate
Diagnostics INFO PKCS12 file needs processing
estreamer.client ERROR EncoreException: Uable to read password from console. Are you running as a background process? Try running in test or foreground mode
estreamer.client INFO Stopping...
extreamer.monitor INFO stopping monitor
estreamer.client INFO Goodbye

I am currently running Splunk Enterprise 7.1.1 on Linux RHEL 6.9-Santiago

Thank you.

Tags (2)
0 Karma
1 Solution

sam_strachan
Explorer

You have not configured your FMC Host means that the code has found an FMC host setting which is either blank or 1.2.3.4. You will need to run through the setup process.

Host and TLS keys
Navigate to app settings in Splunk – from the home page, click the “cog” icon

Find Cisco eStreamer eNcore for Splunk and click “Set-up”

At a minimum:

  • enter the “FMC hostname or IP address” (this is the bit that answers the specific question here) and
  • check the “Process PKCS12 file?”. Optionally enter a password here

Each time you load this page, “Process PKCS12 file” is reset to “no” and the password is not saved. It used once to process the PKCS12 file using openSSL and store a public-private key pair.

Check the data you wish to collect. Note that there are no options to turn off intrusion, policy or malware events.

Enable inputs
Navigate to Settings > Data Inputs > Files & Directories and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved

Navigate to Settings > Data Inputs > Scripts and enable the three TA-eStreamer inputs:

  • cisco:estreamer:clean – this script has no output but is used to delete data files older than 12 hours
  • cisco:estreamer:log – this script uses the stdout of eNcore to take program log data. This becomes very useful where things are not going to plan
  • cisco:estreamer:status – this script runs periodically to maintain a clear status of whether the program is running or not

Execution
Once you have fully configured the collector and enabled the inputs, navigate back to the set-up page in app settings, enable eNcore (“is enabled?”) and press save.

To check the status, search for sourcetype="cisco:estreamer:status"
To check more detailed log output, search for sourcetype="cisco:estreamer:log"
To look for eStreamer data, search for sourcetype=" cisco:estreamer:data"

View solution in original post

0 Karma

molinarf
Communicator

Thanks for the input. I did everything that you had listed before even posting and did many times where I even removed the app and started over clean. If I run the searches, that you listed under execution, for status I get stopped, for log I get what I posted in the encore.log output and for data, I get nothing because the service splencore is not running. I am trying to determine why it doesn't start and it seems that there is something wrong with the starting of the service. See my other post: ImportError: No module named arparse. I think once I get that fixed it may actually work.

Thanks again sam_strachan

0 Karma

ctaf
Contributor

Did you eventually find the issue? I am having the same error.

0 Karma

molinarf
Communicator

This has gone beyond what I had expected. Working with Doug Hurd and Cisco TAC, it has been determined that the app looks for the Python version that is installed on your Linux install and not what Splunk has installed. So I am running RHEL 6.9 which has Python version 2.6.6 and even with Splunk installed with Python version 2.7, it generates an error because the app or specifically the script splencore.sh is referencing the OS version of Python. I checked the Cisco script for CLI (encore.sh) and it specifically references the OS version. So to me, I see the app referencing the wrong place and somehow the version check needs to be redirected to the Splunk version. I hope that I was able to explain this properly so that it can be understood. If you have questions, don't hesitate to ask.

Thank you.

0 Karma

molinarf
Communicator

Finally got back to working on this. I am still having issues with it processing the pcks12 file, but I fixed the argparse file issue.
Here is what I did:
1) copied a full iso of RHEL6.9 on the Splunk Server
2) mounted it into a directory /mnt/iso
3) from the Packages directory ran yum install pyton-argparse-.rpm

Once I did that I could run the splencore.sh script. Unfortunately, it still fails to process the pkcs12 file.

0 Karma

sam_strachan
Explorer

You have not configured your FMC Host means that the code has found an FMC host setting which is either blank or 1.2.3.4. You will need to run through the setup process.

Host and TLS keys
Navigate to app settings in Splunk – from the home page, click the “cog” icon

Find Cisco eStreamer eNcore for Splunk and click “Set-up”

At a minimum:

  • enter the “FMC hostname or IP address” (this is the bit that answers the specific question here) and
  • check the “Process PKCS12 file?”. Optionally enter a password here

Each time you load this page, “Process PKCS12 file” is reset to “no” and the password is not saved. It used once to process the PKCS12 file using openSSL and store a public-private key pair.

Check the data you wish to collect. Note that there are no options to turn off intrusion, policy or malware events.

Enable inputs
Navigate to Settings > Data Inputs > Files & Directories and enable the single TA-eStreamer app input (cisco:estreamer:data) – this is the where the main output data files are saved

Navigate to Settings > Data Inputs > Scripts and enable the three TA-eStreamer inputs:

  • cisco:estreamer:clean – this script has no output but is used to delete data files older than 12 hours
  • cisco:estreamer:log – this script uses the stdout of eNcore to take program log data. This becomes very useful where things are not going to plan
  • cisco:estreamer:status – this script runs periodically to maintain a clear status of whether the program is running or not

Execution
Once you have fully configured the collector and enabled the inputs, navigate back to the set-up page in app settings, enable eNcore (“is enabled?”) and press save.

To check the status, search for sourcetype="cisco:estreamer:status"
To check more detailed log output, search for sourcetype="cisco:estreamer:log"
To look for eStreamer data, search for sourcetype=" cisco:estreamer:data"

0 Karma

molinarf
Communicator

Sam,

I was looking at the preflight.py file because of what I am encountering in this post: eStreamer for Splunk error outputting keys and certificates.

Do you have any idea why it fails when I try to start splencore.sh manually from the CLI at line 32 "import.argparse"

Thank you

0 Karma

sam_strachan
Explorer

argparse: Yes. It's because Splunk runs python in a particular way and it first sets up its own environment and path variables so that it works. If you just log in (even as the splunk user) these variables (most notably the path) are not set, so when python goes looking for libraries (such as argparse) it can't find them and throws an error. It is possible to workaround but involves installing python again and I really wouldn't recommend it. This is why you don't see the same error when Splunk runs encore.

When you navigate to the setup screen - do you see the host / ip you entered?

Also - can you try splitting your pkcs12 file manually? Try it on the splunk host first. Use the following command lines.

openssl pkcs12 -in $pkcs12file -nocerts -nodes -out $privateKey -passin "pass:$password"
openssl pkcs12 -in $pkcs12file -clcerts -nokeys -out $publicKey -passin "pass:$password"

I don't like the look of:


Error outputting keys and certificates
139742838814376:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:diabled for fips:fips_enc.c:142:
139742838814376:error:06074078: digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:197:
139742838814376:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algo ciperinit error:p12_decr.c:87:
139742838814376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:

0 Karma

molinarf
Communicator

Sam,

I know this is many months since I worked on this. I have progressed to the point, where I can run splencore.sh test but it fails to process the pkcs12 file. It goes fine until it has to process the client.pkcs12 file and when I put the password in, it returns the error

EndoreException: Unable to process pkcs12 file. Possibly a password problem

That's all well and fine, but I did not put a password on this client.pkcs file. Is there something I missed along the way?

0 Karma

cutright_j
New Member

Did you ever fix this issue? I'm having it now, not having too much luck in succeeding.

0 Karma

molinarf
Communicator

I'll give it a try. I removed the app from the Splunk server just to clean it up. I also made some modifications so that I could put FMC and the firepower service modules on the ASAs into their own subnet that I hope will work to have proper communications between them and Splunk too.

Thanks,

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...