Hi All, Past couple of weeks we are facing an issue in getting the sourcefire data into splunk, on initial trouble shoot, revealed that the issue was with the log rotate due to which there were log files with multiple log rotate names, so we cleared all the logs from the below location using rm -rf command.
Path:
/opt/splunk/etc/apps/Test-IA-sourcefire/log/
Example:
estreamer.log.1502061292-20170808-20170810-20170816-20170818-20170822-20170824-20170828-20170830-20170905-20170907-20171214'
After cleaning the esteamer.log , we tried to restart the splunk services in one of the Heavy Forwarder instance where the Test-IA-sourcefire app is configured. And disabled and enabled the estreamer client from the splunk console but no luck, we are unable to see any logs in the path /opt/splunk/etc/apps/Test-IA-sourcefire/log.
Troubleshooting : From index= _ internal for this app we are getting the below error information when we disable/enable the app.
Error Message:
1) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" ValueError: invalid literal for int() with base 10:
2) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" os.kill(int(pid), signal.SIGHUP)
3) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" File "/opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py", line 134, in killClient
4) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" killClient()
5) 02-07-2018 05:09:32.789 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" File "/opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py", line 233, in <module>
6) 02-06-2018 08:20:30.995 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py
7) 02-06-2018 08:20:31.625 -0500 INFO TailingProcessor - Adding watch on path: /opt/splunk/etc/apps/Test-IA-sourcefire/log.
Kindly guide me how to fix this issue.
thanks in advance.
Glad you got it working!
Doug
You'll need to uninstall the current 2.2.1 and then download and install 2.2.2 following these instructions: https://splunkbase.splunk.com/app/1629/#/details
Hi Douglashurd, Source fire issue got fixed with out upgrading the source fire app. Initially we had upgraded the app but it did not work, so removed the newly upgraded app from splunk heavy forwarder instances.
We fixed the issue by executing the below command from the /opt/splunk/etc/apps/estreamerapp/bin
./estreamer_client.pl -c config_nogui.sh
on executing the above command, we were able to search the logs via splunk console.
Hi Douglashurd, I had gone through the link and in that link they had mentioned about the ugrading the app, and had given below steps for upgrade.
Before installing an upgrade to the app, it is recommended to disable the eStreamer client prior to the upgrade and to wait for it to stop before continuing. This can be done from the app Setup page. Ensure sure the "Upgrade app" check box is selected when installing the app package. Once the upgrade has been completed, and Splunk restarted, the client can be re-enabled from the Setup page.
And mean while I had tried to execute the below perl command from /opt/splunk/etc/apps/estreamer/bin
./estreamer_client.pl did not get any output but it was throwing the below detail:
Usage: estreamer_client.pl [options]
Options:
[-c]onfig=
[-l]ogfile=
[-t]est
[-d]aemon
When I use ./estreamer_client.pl -t again I get the same message not sure what exactly i need to do.
sourcefire version 5.4.1.10, splunk version 6.6.1 current app version 2.2.1
so kindly guide whether I can follow the above process to upgarde the app.
There is a 2.2.2 that fixes a few things. Mainly, an issue with TLS. https://splunkbase.splunk.com/app/1629/
Hi douglashurd, thanks for your support on this, could please let me know the steps to be followed to upgrade the app.
Hi Team, Can any one guide me how to fix this issue.
thanks in advance.
If you are using Firepower 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/
Hi douglashurd, thanks for your effort on this, I am not sure about what version of the FirePower are being used by the security team, but from splunk side we are using estreamer for splunk 2.2.1 version and its configured in one of the heavy forwarder instances.
Kindly guide me on this.
If you are using Firepower Version 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/
Hi All, Can anyone guide me on how to fix this issue.
thanks in advance.
Hi All, Can anyone guide me on this to fix the sourcefire issue.
thanks in advance.