Per the deployment guide we have three options: https://www.cisco.com/c/en/us/td/docs/security/firepower/630/api/eStreamer_enCore/eStreamereNcoreSplunkOperationsGuide_354.html#_Toc529958496 ■ 0: Send all events from the earliest point available on the Firepower Management Center ■ 1: Send all events that occur after receiving the client request ■ 2: Use a bookmark to pick up where we left off. First run is from 0 So, first modify the file to use option 0. Restart the encore and leave it running some time and verify if you see events. After that you can modify the file to option 1 and restart the encore again and verify if events are seen in encore.
... View more
can you please check which python version you are running? I am asking because I had an issue on customer where they were running Centos 8 and the python version that was running was python 3.6... I also saw the same exit code at logs.
run the script ./splencore.sh test at TA-eStreamer/bin...if you are getting this message:
Traceback (most recent call last):
File "./estreamer/preflight.py", line 33, in
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/init.py", line 27, in
from estreamer.connection import Connection
File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 22, in
File "/opt/splunk/lib/python2.7/ssl.py", line 98, in
import _ssl # if we can't import it, let the error propagate
ImportError: libssl.so.1.0.0: cannot open shared object file: No such file or directory
then, do this to fix it:
Install Python 2.7
Edit the python script “splencore.sh” at /opt/splunk/etc/apps/TA-eStreamer/bin and remove # from this line #SPLUNK_HOME=/opt/splunk
save it, restart splunk service.
The python error was fixed, and after a couple of minutes the data is being receiving properly.
Also try to play around the Data configuration at addon, on the customer, I select the option " Connections? This is a very high-volume option and may consume significant network and storage usage"
These were the steps I took to fix the issue on customer. I hope this can help you.
... View more