Hi! Good day to you all,
Today, we're currently ingesting data from eStreamer but this occured:
2018-11-09 15:55:15,479 Controller INFO Platform version: Linux-3.10.0-862.el7.x86_64-x86_64-with-centos-7.5.1804-Core
2018-11-09 15:55:15,480 Controller INFO Starting client (pid=14528).
2018-11-09 15:55:15,481 Controller INFO Sha256: d81b381ef933679d508d0c5ac1f95caa98ebf2aff094debecf52471917901bc8
2018-11-09 15:55:15,491 Controller INFO Processes: 4
2018-11-09 15:55:15,492 Controller INFO Settings: KGRwMApWbW9uaXRvcgpwMQooZHAyClZib29rbWFyawpwMwpJMDAKc1Z2ZWxvY2l0eQpwNApJMDAKc1ZoYW5kbGVkCnA1CkkwMQpzVnBlcmlvZApwNgpJMTIwCnNWc3Vic2NyaWJlZApwNwpJMDEKc3NWaGFuZGxlcgpwOAooZHA5ClZyZWNvcmRzCnAxMAooZHAxMQpWZXhjbHVkZQpwMTIKKGxwMTMKc1Zjb3JlCnAxNApJMDEKc1ZleGNsQGNvbW1lbnQKcDE1CihscDE2ClZUaGVzZSByZWNvcmRzIHdpbGwgYmUgZXhjbHVkZWQgcmVnYXJkbGVzcyBvZiBhYm92ZSAob3ZlcnJpZGVzICdpbmNsdWRlJykKcDE3CmFWZS5nLiB0byBleGNsdWRlIGZsb3cgYW5kIElQUyBldmVudHMgdXNlIFsgNzEsIDQwMCBdCnAxOAphc1ZwYWNrZXRzCnAxOQpJMDEKc1ZpbnRydXNpb24KcDIwCkkwMQpzVmluY0Bjb21tZW50CnAyMQpWVGhlc2UgcmVjb3JkcyB3aWxsIGJlIGluY2x1ZGVkIHJlZ2FyZGxlc3Mgb2YgYWJvdmUKcDIyCnNWcnVhCnAyMwpJMDEKc1ZybmEKcDI0CkkwMQpzVmluY2x1ZGUKcDI1CihscDI2CnNWY29ubmVjdGlvbnMKcDI3CkkwMQpzVm1ldGFkYXRhCnAyOApJMDAKc3NWb3V0cHV0dGVycwpwMjkKKGxwMzAKKGRwMzEKVmVuYWJsZWQKcDMyCkkwMQpzVmFkYXB0ZXIKcDMzClZzcGx1bmsKcDM0CnNWc3RyZWFtCnAzNQooZHAzNgpWdXJpCnAzNwpWcmVsZmlsZTovLy8uLi8uLi9kYXRhL2VuY29yZS57MH0ubG9nCnAzOApzVm9wdGlvbnMKcDM5CihkcDQwClZtYXhMb2dzCnA0MQpJMTAwMDAKc1Zyb3RhdGUKcDQyCkkwMQpzc3Nhc1ZvdXRwdXRAY29tbWVudApwNDMKVklmIHlvdSBkaXNhYmxlIGFsbCBvdXRwdXR0ZXJzIGl0IGJlaGF2ZXMgYXMgYSBzaW5rCnA0NApzc1ZzdGFyQGNvbW1lbnQKcDQ1ClYwIGZvciBnZW5lc2lzLCAxIGZvciBub3csIDIgZm9yIGJvb2ttYXJrCnA0NgpzVnN1YnNjcmlwdGlvbgpwNDcKKGRwNDgKVnNlcnZlcnMKcDQ5CihscDUwCihkcDUxClZ0bHNAY29tbWVudApwNTIKVlZhbGlkIHZhbHVlcyBhcmUgMS4wIGFuZCAxLjIKcDUzCnNWdGxzVmVyc2lvbgpwNTQKRjEuMgpzVnBrY3MxMkZpbGVwYXRoCnA1NQpWY2xpZW50LnBrY3MxMgpwNTYKc1Zob3N0CnA1NwpWMTAuMC4zMS44MApwNTgKc1Zwb3J0CnA1OQpJODMwMgpzYXNWcmVjb3JkcwpwNjAKKGRwNjEKVmltcGFjdEV2ZW50QWxlcnRzCnA2MgpJMDEKc1ZleHRlbmRlZApwNjMKSTAxCnNWZXZlbnRFeHRyYURhdGEKcDY0CkkwMQpzVmludHJ1c2lvbgpwNjUKSTAxCnNWcGFja2V0RGF0YQpwNjYKSTAxCnNWQGNvbW1lbnQKcDY3CihscDY4ClZKdXN0IGJlY2F1c2Ugd2Ugc3Vic2NyaWJlIGRvZXNuJ3QgbWVhbiB0aGUgc2VydmVyIGlzIHNlbmRpbmcuIE5vciBkb2VzIGl0IG1lYW4KcDY5CmFWd2UgYXJlIHdyaXRpbmcgdGhlIHJlY29yZHMgZWl0aGVyLiBTZWUgaGFuZGxlci5yZWNvcmRzW10KcDcwCmFzVmFyY2hpdmVUaW1lc3RhbXBzCnA3MQpJMDEKc1ZtZXRhZGF0YQpwNzIKSTAxCnNzc1Zjb25kaXRpb25zCnA3MwoobHA3NApWc3BsdW5rCnA3NQphc1ZzdGFydApwNzYKSTIKc1Zjb25uZWN0VGltZW91dApwNzcKSTEwCnNWbG9nZ2luZwpwNzgKKGRwNzkKVmxldmVsCnA4MApWSU5GTwpwODEKc1ZmaWxlcGF0aApwODIKVmVzdHJlYW1lci5sb2cKcDgzCnNWc3RkT3V0CnA4NApJMDEKc1Zmb3JtYXQKcDg1ClYlKGFzY3RpbWUpcyAlKG5hbWUpLTEycyAlKGxldmVsbmFtZSktOHMgJShtZXNzYWdlKXMKcDg2CnNWc3RkRXJyCnA4NwpJMDAKc1ZsZXZAY29tbWVudApwODgKVkxldmVscyBpbmNsdWRlIEZBVEFMLCBFUlJPUiwgV0FSTklORywgSU5GTywgREVCVUcsIFZFUkJPU0UgYW5kIFRSQUNFCnA4OQpzc1ZyZXNwb25zZVRpbWVvdXQKcDkwCkkyCnNWd29ya2VyUHJvY2Vzc2VzCnA5MQpJNApzVmVuYWJsZWQKcDkyCkkwMQpzLg==
2018-11-09 15:55:15,493 Diagnostics INFO Check certificate
2018-11-09 15:55:15,493 Diagnostics INFO Creating connection
2018-11-09 15:55:15,493 Connection INFO Connecting to xx.xx.xx.xx:8302
2018-11-09 15:55:15,493 Connection INFO Using TLS v1.2
2018-11-09 15:55:15,504 Diagnostics INFO Creating request message
2018-11-09 15:55:15,505 Diagnostics INFO Request message=0001000200000008ffffffff48900061
2018-11-09 15:55:15,505 Diagnostics INFO Sending request message
2018-11-09 15:55:15,505 Diagnostics INFO Receiving response message
2018-11-09 15:55:15,517 Diagnostics ERROR The FMC eStreamer server has closed the connection. There are a number of possible causes which may show above in the error log.\n\nIf you see no errors then this could be that:\n * the server is shutting down\n * there has been a client authentication failure (please check that your outbound IP address matches that associated with your certificate - note that if your device is subject to NAT then the certificate IP must match the upstream NAT IP)\n * there is a problem with the server. If you are running FMC v6.0, you may need to install "Sourcefire 3D Defense Center S3 Hotfix AZ 6.1.0.3-1"\n
2018-11-09 15:55:15,517 Controller ERROR ConnectionClosedException: Connection closed\nTraceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/controller.py", line 244, in start\n diagnostics.execute()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/diagnostics.py", line 96, in execute\n response = connection.response()\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 182, in response\n dataBuffer = self.__read( 8 )\n File "/opt/splunk/etc/apps/TA-eStreamer/bin/encore/estreamer/connection.py", line 159, in __read\n raise estreamer.ConnectionClosedException('Connection closed')\nConnectionClosedException: Connection closed\n
2018-11-09 15:55:15,518 Controller INFO Stopping...
2018-11-09 15:55:15,518 Monitor INFO Stopping Monitor.
2018-11-09 15:55:15,518 Controller INFO Goodbye
Please help.
I saw same issue today. eNcore Version 3.5.8 ; FMC version 6.2.3.14
I realized that the hostname provided to generate the certificate in FMC was not the same as that of the splunk server on which the eNcore app is being installed.
I re-generated the certificate with the same hostname as the Splunk server and the issue resolved.
With 6.x firepower you'll want to be on encore version 3.5.4
https://splunkbase.splunk.com/app/3662/
I would open a ticket with Cisco TAC. This sure looks like a connection problem or authentication problem. What versions of the FMC and eNcore are you running?
Is the Cisco eStreamer for Splunk(v.2.2.2) compatible with Splunk 7.2?
We currently use FMC Version 6.1.0.4 and eNcore v.3.15 but we can't seem to connect due to client authentication problem. Is this "client authentication" refers to the pkcs12 in the splunk server? If yes, we didnt set a password but it still logs that problem.