All Apps and Add-ons

Problems starting the eStreamer client

scc00
Contributor

I have installed the Estreamer for Splunk app and configured it. The PKCs12 certificate is applied, all perl modules are installed. The estreamer.pl ran without errors. The app itself is configured to reach the defense center and I have tested the network connection between the defence center and the splunk server. Everything is working. I enabled the client and restarted splunk and now I get the following client status:

"ERROR: Problems starting the eStreamer client"

I have rechecked all my settings and have not found a reason why the client will not start.Has anyone else encountered this issue?

0 Karma

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

cgrady_sf
Path Finder

eStreamer for Splunk 1.0.4 should be getting released shortly. The big change in this version is that the error messages produced by the client will be represented in the Client Status messages in the Splunk UI. This should definitely make debugging the root cause of a configuration issue easier. Keep an eye out, folks!

0 Karma

scc00
Contributor

Thanks, the_wolverine. I already had that installed in this case.

It turns out the pkcs12 must have had the password entered incorrectly. So we reissued it, changed the permissions on the estreamer.conf to 777 and installed the pkcs12 in the /eStreamer/bin location, restarted Splunk and the status changed to started. Now the logs are coming in.

jwelsh_splunk
Splunk Employee
Splunk Employee

I tried putting the cert in a custom directory - no luck. Followed your suggestion to put cert inside $SPLUNK_HOME/etc/apps/eStreamer/bin and changing permission - worked great! In my opinion the docs should just state to put it there. Appreciate you making this public. Thank you!

0 Karma

scc00
Contributor

I agree. It took a bit of digging to even get to that. The error messages should indicate the root cause.

0 Karma

the_wolverine
Champion

If the password is incorrect, I think you should see errors to that affect. If not, then the script should be updated. As it stands, it seems the app could use some modifications to improve the user experience.

0 Karma

the_wolverine
Champion

We encountered this issue after installing the eStreamer app and discovered that we were missing the NetAddr::IP module (which is currently an undocumented dependency):

Download the following package and install per the instructions: http://search.cpan.org/CPAN/authors/id/M/MI/MIKER/NetAddr-IP-4.072.tar.gz

Also, manually running the estreamer script at CLI will give you additional hints as to what exactly the issue is.

cgrady_sf
Path Finder

Unfortunately the 'SFPkcs12 : Unable to get certificate' error message is an error coming out of the Sourcefire SDK code that is somewhat vague. It usually means the cert password used is incorrect.

0 Karma

cgrady_sf
Path Finder

The Help in 1.0.4 (being released soon), as well as the documentation on the Splunk app portal, now includes the module in the list of dependencies. Sorry for the trouble.

0 Karma

the_wolverine
Champion

Yes, I'm encountering the same issue.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...