So we patched to 6.2.0.2 and we're experiencing the same message when I run ./splencore test. But, I did notice that if I just ran ./splencore start that I get some more info as far as errors are concerned:
[splunk@server-01 bin]$ ./splencore.sh start
2017-08-28 08:32:49,378 estreamer.client INFO eNcore version: 3.0.0
2017-08-28 08:32:49,379 estreamer.client INFO Python version: 2.7.5 (default, May 3 2017, 07:55:04) \n[GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]
2017-08-28 08:32:49,379 estreamer.client INFO Platform version: Linux-3.10.0-693.1.1.el7.x86_64-x86_64-with-redhat-7.4-Maipo
2017-08-28 08:32:49,379 estreamer.client INFO Starting client (pid=9331).
2017-08-28 08:32:49,379 estreamer.client INFO Sha256: 8dd9941c993687f478a28a236567b49763d6bf30e23a43ec125a3391495201c7
2017-08-28 08:32:49,379 Diagnostics INFO Check certificate
2017-08-28 08:32:49,379 Diagnostics INFO Creating connection
2017-08-28 08:32:49,379 estreamer.connection INFO Connecting to fmc:8302
2017-08-28 08:32:49,379 estreamer.connection INFO Using TLS v1.2
2017-08-28 08:32:49,624 Diagnostics INFO Creating request message
2017-08-28 08:32:49,624 Diagnostics INFO Request message=0001000200000008ffffffff48900061
2017-08-28 08:32:49,625 Diagnostics INFO Sending request message
2017-08-28 08:32:49,626 Diagnostics INFO Receiving response message
2017-08-28 08:32:49,626 Diagnostics ERROR The FMC eStreamer server has closed the connection. There are a number of possible causes which may show above in the error log.\n\nIf you see no errors then this could be that:\n * the server is shutting down\n * there has been a client authentication failure (please check that your outbound IP address matches that associated with your certificate - note that if your device is subject to NAT then the certificate IP must match the upstream NAT IP)\n * there is a problem with the server. If you are running FMC v6.0, you may need to install "Sourcefire 3D Defense Center S3 Hotfix AZ 6.1.0.3-1"\n
2017-08-28 08:32:49,626 estreamer.client ERROR ConnectionClosedException: Connection closed
2017-08-28 08:32:49,626 estreamer.client INFO Stopping...
2017-08-28 08:32:49,627 estreamer.monitor INFO Stopping Monitor.
2017-08-28 08:32:49,627 estreamer.client INFO Goodbye
2017-08-28 08:32:49,648 Service ERROR OSError: \nTraceback (most recent call last):\n File "./estreamer/service.py", line 179, in main\n self.start( reprocessPkcs12 = args.pkcs12 )\n File "./estreamer/service.py", line 148, in start\n self._posix()\n File "./estreamer/service.py", line 90, in _posix\n self._loop()\n File "./estreamer/service.py", line 67, in _loop\n if not condition.isTrue():\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/condition/splunk.py", line 33, in isTrue\n 'status' ] )\n File "/usr/lib64/python2.7/subprocess.py", line 568, in check_output\n process = Popen(stdout=PIPE, *popenargs, **kwargs)\n File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__\n errread, errwrite)\n File "/usr/lib64/python2.7/subprocess.py", line 1327, in _execute_child\n raise child_exception\nOSError: [Errno 2] No such file or directory\n
Support initially thought it was FIPS causing the issue, but we ended up not having FIPS enabled on the FMC side. We are running FIPS_MODE on the Splunk Heavy Forwarder that we are trying to get this app working on.
... View more