Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Splunk Estreamer App with FMC 6.2.0.1

Recently updated FMC to 6.2.0.1.  Estreamer client now only sends 5 or so events and then the estreamer client fails, both on Splunk and host-based client testing.   Also, the server does not seem to respond to changes in the event type delivery options.  Is the estreamer APP not compatible with FMC 6.2.0.1?

4 REPLIES
New Member

After a reboot of the FMC,

After a reboot of the FMC, the reference client (latest supported version, have have tested encore) grabs events correctly, however, the estreamer splunk app client still fails after 5 or so events, and only discovery events.

Cisco Employee

The eNcore version is failing

The eNcore version is failing?  Its not clear to me which version you mean.

Could you email any details to encorebeta2@cisco.com please?

Doug

Anonymous
N/A

Same issue here, running

Same issue here, running eStreamer 2.2.1  (...). This work arround seems to fix this issue:

#!/bin/bash

/usr/bin/perl /opt/splunk/etc/apps/eStreamer/bin/estreamer_client.pl -d -c /opt/splunk/etc/apps/eStreamer/local/estreamer.conf -l /opt/splunk/etc/apps/eStreamer/log/estreamer.log

Note: According to Splunk forums eStreamer may only fetch certain data (not all data type supported any more)

New Member

Re: Splunk Estreamer App with FMC 6.2.0.1

Have a look at https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve44987/?referring_site=bugquickviewredir

There's a known estreamer issue for sending corrupt messages with a few releases from this year. 6.1.0.5 claims to have it fixed (posted August 30th) and 6.2.0.2 (posted May 30th)

We've had a few QRadar customers run into this issue as well and I suspect this is the solution.
325
Views
0
Helpful
4
Replies