Solved: estreamer stopped getting streams

richkappler · ‎01-17-2018

We are running estreamer 2.2.2 (by latest entry in changelog) on our ad-hoc search head, v. 6.54 with Defense Center v. 5.4.

estreamer had been running fine since installation, there have been no config or setting changes made to the app, but on Jan 11 we restarted splunk on the ad-hoc sh to implement some config changes (timeout settings) unrelated to estreamer. The app has stopped receiving from that point. I have verified that it is running, taking to the DC:

ss -tanp | grep XXXXX (pid of estreamer)
ESTAB 0 0 XXX.XXX.XXX.XXX:XXXXX XXX (correct ip and port of DC) users:(("estreamer_clien",pid=XXXXX,fd=3))

There have been no config or setting changes to the Defense Center, the only thing that has been done is Splunk restarted.

I've read Douglas Hurd's responses to many estreamer questions regarding upgrading the app if using Firepower 6.X but we are not.

richkappler · ‎01-17-2018

SOLVED - Reinstalled pkcs certificate, reentered password, now receiving IDS data

View solution in original post

richkappler · ‎01-17-2018

SOLVED - Reinstalled pkcs certificate, reentered password, now receiving IDS data

richkappler · ‎01-17-2018

Additional information I forgot to add in the main body:

I have disabled and re-enabled the app, I have run eStreamer/bin/estreamer_client.pl and it returns no errors, we had a maintenance window last night during which I restarted Splunk for other config changes again.

estreamer stopped getting streams

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases