Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About vinz2020
vinz2020
Engager
Member since:
03-10-2020
01-09-2025
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 03-10-2020 |
Activity Feed
- Posted Re: AD FS Audit Logs (ADFS Audit) XML issues on All Apps and Add-ons. 01-09-2025 02:59 AM
- Karma Re: Improve Your Security Posture for VatsalJagani. 06-16-2022 08:55 AM
- Posted Re: Improve Your Security Posture on Product News & Announcements. 06-16-2022 06:44 AM
- Posted Re: Cisco eStreamer eNcore Add-on for Splunk: eNcore process not starting on All Apps and Add-ons. 06-24-2021 02:04 AM
- Posted Re: Unable to initialize modular input "tenable_securitycenter_mobile" defined in the app "TA-tenable&quo on All Apps and Add-ons. 05-07-2021 12:53 AM
- Posted Re: Unable to initialize modular input "tenable_securitycenter_mobile" defined in the app "TA-tenable&quo on All Apps and Add-ons. 05-07-2021 12:35 AM
- Posted Re: Unable to initialize modular input "relaymodaction" defined in the app "Splunk_SA_CIM" on All Apps and Add-ons. 05-04-2021 02:10 AM
- Posted Re: Enteprise Security and notable events creation issue on Splunk Enterprise Security. 06-12-2020 12:57 AM
- Posted Enteprise Security and notable events creation issue on Splunk Enterprise Security. 05-26-2020 11:55 PM
- Tagged Enteprise Security and notable events creation issue on Splunk Enterprise Security. 05-26-2020 11:55 PM
- Tagged Enteprise Security and notable events creation issue on Splunk Enterprise Security. 05-26-2020 11:55 PM
- Tagged Enteprise Security and notable events creation issue on Splunk Enterprise Security. 05-26-2020 11:55 PM
- Posted Re: Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay on All Apps and Add-ons. 03-11-2020 12:40 AM
- Posted Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay on All Apps and Add-ons. 03-10-2020 03:24 AM
- Tagged Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay on All Apps and Add-ons. 03-10-2020 03:24 AM
- Tagged Cisco Firepower eStreamer eNcore 3.6.8 - looping and data delay on All Apps and Add-ons. 03-10-2020 03:24 AM
- Posted Re: Splunk eNcore not receiving any Data on All Apps and Add-ons. 03-10-2020 03:04 AM
- Posted Re: Cisco eStreamer eNcore Add-on for Splunk: eNcore process not starting on All Apps and Add-ons. 03-10-2020 03:01 AM
Topics I've Started
01-09-2025
02:59 AM
I have the same problem. Only on ADFS audit logs, maybe something to change on the windows server directly instead of touching splunk here?
... View more
06-16-2022
06:44 AM
Thank you for the information. Any plan to have those security patches available on Splunk 8.2 ? Like everyone, I am not in a hurry mode applying new 9.0.0 major release. Major release upgrade is not something we can perform in a few clicks.
... View more
06-24-2021
02:04 AM
Yes I fixed it ... but unfortunately I can't remember how 😕 Now I am running app 4.6, Splunk 8.1.3 and FMC 6.5
... View more
05-07-2021
12:53 AM
I have just seen a new TA app has been released (v5.0.0 - https://splunkbase.splunk.com/app/4060/#/details) I currently have the version 4.0.1
... View more
05-07-2021
12:35 AM
Hello I have exactly the same error after Splunk upgrade to 8.1.3 and ES 6.0.2 It was working fine with Splunk 7.3.5 before Any suggestion or any idea for troubleshooting? thank you
... View more
05-04-2021
02:10 AM
Hi Same message on my Search Head after upgrade from 7.3.5 to 8.1.3 Were you able to fix it ? thank you, any help will be very appreciated
... View more
06-12-2020
12:57 AM
problem resolved with the support help the inputs.conf from the ES app was corrupted Splunk was not able to parse correctly the notable events. with the correct inputs.conf file everything is working as expecting
... View more
05-26-2020
11:55 PM
Dear all
I have an issue with a new dedicated Search Head for ES.
My Splunk architecture is quite simple. 4 clustered indexers, 3 SH, and 1 dedicated SH for ES
everything is working fine, except the ES notable events : the index notable remains empty.
In the SH, search peer list : everything is OK, indexers are defined
All the events of the SH are sent to the indexers, the notable index has been created there
I have correlation searches active with 2 actions : notable and json alerting.
- JSON alerting is OK
- notable : not OK
If I manually create a notable event on ES, I can see it in the index main, with a strange sourcetype (“stash_common_action_model-too_small”)
I have found it with the following request “index=main notable”
“1589789135, search_name="Manual Notable Event - Rule", _time="1589789135", app="SplunkEnterpriseSecuritySuite", creator="XXXX", info_max_time="+Infinity", info_min_time="0.000", info_search_time="1589789135.348247000", owner="XXXX", rule_description="hello world", rule_title="test5", security_domain="access", status="1", urgency="informational"
=> is there an issue with this sourcetype / index ?
=> or any idea for troubleshooting ?
thank you in advance
PS: a Splunk ticket was opened 10 days ago ... but I am still stuck
... View more
Labels
03-11-2020
12:40 AM
Yes I have this configuration, thank you
the apps works fine, collecting events on the FMC ... except every 15-20 minutes when the estream app is going down. then it takes a few minutes to restart and collect events again
... View more
03-10-2020
03:24 AM
Dear community
I am trying to onboard the logs from my Cisco FMC (v6.4.0.7) to Splunk (7.3.3), using the app Cisco Firepower eStreamer eNcore (3.6.8)
the connectivity is OK, I am able to collect some logs during a few minutes.
and then the estreamer process stopped/failed.
after 15/30 minutes the process is able again to collect some data events from the IDS ... and then fails again
I don't really know where/what troubleshoot.
maybe the default setting "maxQueueSize": 100.
this one can be increased as we have a lot of events.
thank you so much
Message output for index=estreamer sourcetype="cisco:estreamer:log" :
Starting process.
Starting process.
Starting process.
Starting Monitor.
Using TLS v1.2
Connecting to x.x.x.x:8302
Connection successful
Streaming info response
Response message=xxxxx
Receiving response message
Sending request message
Request message=0001000200000008ffffffff48900061
Creating request message
Using TLS v1.2
Connecting to xxxxx:8302
Creating connection
Check certificate
Settings: xxxxxxxx=
Processes: 4
Sha256: 3xxxxx
Platform version: Linux-3.10.0-1062.el7.x86_64-x86_64-with-redhat-7.7-Maipo
2020-03-10 11:14:28,556 Controller INFO Starting client (pid=25963).
eNcore version: 3.6.8
Goodbye
Stopping Monitor.
Process 20330 (Process-4) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20329 (Process-3) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20328 (Process-2) exit code: 0
Exiting
Error state. Clearing queue
Stop message received
Process 20327 (Process-1) exit code: 1
Stopping...
Running. 0 handled; average rate 0 ev/sec;
Process subscriberParser is dead.
Starting. 0 handled; average rate 0 ev/sec;
Starting process.
Starting process.
Starting process.
Starting Monitor.
... View more
03-10-2020
03:04 AM
same issue for me with the last app release 3.6.8
https://splunkbase.splunk.com/app/3662/
and FMC v6.4.0.7
I received some data events during a few minutes and then the estreamer process goes down (and looping for a while)
... View more
03-10-2020
03:01 AM
Hi
I am having the same issue with the new app 3.6.8
https://splunkbase.splunk.com/app/3662/
and FMC v6.4.0.7
I can collect the logs a few minutes (cisco:estreamer:data) and then i received
"Process subscriberParser is dead"
any idea ?
thanks a lot
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-09-2025
10:23 AM
|
