sourcefire estreamer.logs are stopped and unable t...

Hemnaath · ‎02-07-2018

Hi All, Past couple of weeks we are facing an issue in getting the sourcefire data into splunk, on initial trouble shoot, revealed that the issue was with the log rotate due to which there were log files with multiple log rotate names, so we cleared all the logs from the below location using rm -rf command.
Path:

/opt/splunk/etc/apps/Test-IA-sourcefire/log/

Example:

estreamer.log.1502061292-20170808-20170810-20170816-20170818-20170822-20170824-20170828-20170830-20170905-20170907-20171214'

After cleaning the esteamer.log , we tried to restart the splunk services in one of the Heavy Forwarder instance where the Test-IA-sourcefire app is configured. And disabled and enabled the estreamer client from the splunk console but no luck, we are unable to see any logs in the path /opt/splunk/etc/apps/Test-IA-sourcefire/log.

Troubleshooting : From index= _ internal for this app we are getting the below error information when we disable/enable the app.

Error Message:

1) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py" ValueError: invalid literal for int() with base 10: 

2) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py"     os.kill(int(pid), signal.SIGHUP)

3) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py"   File "/opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py", line 134, in killClient

4) 02-07-2018 05:07:32.932 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py"     killClient()

5) 02-07-2018 05:09:32.789 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py"   File "/opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py", line 233, in <module>

6) 02-06-2018 08:20:30.995 -0500 INFO  ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/Test-IA-sourcefire/bin/client_check.py

7) 02-06-2018 08:20:31.625 -0500 INFO TailingProcessor - Adding watch on path: /opt/splunk/etc/apps/Test-IA-sourcefire/log.

Kindly guide me how to fix this issue.

thanks in advance.

douglashurd · ‎02-19-2018

Glad you got it working!

Doug

douglashurd · ‎02-12-2018

You'll need to uninstall the current 2.2.1 and then download and install 2.2.2 following these instructions: https://splunkbase.splunk.com/app/1629/#/details

Hemnaath · ‎02-19-2018

Hi Douglashurd, Source fire issue got fixed with out upgrading the source fire app. Initially we had upgraded the app but it did not work, so removed the newly upgraded app from splunk heavy forwarder instances.

We fixed the issue by executing the below command from the /opt/splunk/etc/apps/estreamerapp/bin

./estreamer_client.pl -c config_nogui.sh

on executing the above command, we were able to search the logs via splunk console.

Hemnaath · ‎02-13-2018

Hi Douglashurd, I had gone through the link and in that link they had mentioned about the ugrading the app, and had given below steps for upgrade.

Before installing an upgrade to the app, it is recommended to disable the eStreamer client prior to the upgrade and to wait for it to stop before continuing. This can be done from the app Setup page. Ensure sure the "Upgrade app" check box is selected when installing the app package. Once the upgrade has been completed, and Splunk restarted, the client can be re-enabled from the Setup page.

And mean while I had tried to execute the below perl command from /opt/splunk/etc/apps/estreamer/bin

./estreamer_client.pl did not get any output but it was throwing the below detail:

Usage: estreamer_client.pl [options]
Options:
[-c]onfig=
[-l]ogfile=
[-t]est
[-d]aemon

When I use ./estreamer_client.pl -t again I get the same message not sure what exactly i need to do.

sourcefire version 5.4.1.10, splunk version 6.6.1 current app version 2.2.1

so kindly guide whether I can follow the above process to upgarde the app.

douglashurd · ‎02-12-2018

There is a 2.2.2 that fixes a few things. Mainly, an issue with TLS. https://splunkbase.splunk.com/app/1629/

Hemnaath · ‎02-12-2018

Hi douglashurd, thanks for your support on this, could please let me know the steps to be followed to upgrade the app.

Hemnaath · ‎02-07-2018

Hi Team, Can any one guide me how to fix this issue.

thanks in advance.

douglashurd · ‎02-08-2018

If you are using Firepower 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/

Hemnaath · ‎02-09-2018

Hi douglashurd, thanks for your effort on this, I am not sure about what version of the FirePower are being used by the security team, but from splunk side we are using estreamer for splunk 2.2.1 version and its configured in one of the heavy forwarder instances.

Kindly guide me on this.

douglashurd · ‎02-08-2018

If you are using Firepower Version 6.x you need to use this TA: https://splunkbase.splunk.com/app/3662/

Hemnaath · ‎02-07-2018

Hi All, Can anyone guide me on how to fix this issue.
thanks in advance.

Hemnaath · ‎02-08-2018

Hi All, Can anyone guide me on this to fix the sourcefire issue.

thanks in advance.

sourcefire estreamer.logs are stopped and unable to start the client_check.py ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!