https://community.cisco.com/t5/network-security/estreamer-log-collection/m-p/4022016#M1010240 Hi<BR /><BR />Did you make sure the connection is working when testing from fmc? All certificates are exchanged between the 2 systems?<BR />Can you check the status from the expert mode: manage_estreamer.pl status<BR /><BR />Here a doc showing how to enable it (start and stop if already enabled):<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/ConfiguringEstreamer.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/ConfiguringEstreamer.html</A><BR /> Sat, 01 Feb 2020 04:46:13 GMT Francesco Molino 2020-02-01T04:46:13Z https://community.cisco.com/t5/network-security/estreamer-log-collection/m-p/4021614#M1010239 <P>Hello,</P><P>&nbsp;</P><P>We recently upgraded the FMC to 6.2.2 and we re-initiated the logging from the client ( a linux based SIEM) but we observed the below error</P><P>&nbsp;</P><P>Error reading events from "FMC IP". java.io.IOException: Connection is broken. Read operation return "-1";</P><P>&nbsp;</P><P>While running a packet capture on the SIEM, I can see that the FMC is sending a Reset packet but don't know why.</P><P>&nbsp;</P><P><BR />FMC IP.8302 &gt; SIEM IP.25996: Flags [P.], cksum 0x3595 (correct), seq 2137:2228, ack 2761, win 191, length 91<BR />11:18:49.767299 IP (tos 0x0, ttl 64, id 60754, offset 0, flags [DF], proto TCP (6), length 125)<BR />SIEM IP.25996 &gt; FMC IP.8302: Flags [P.], cksum 0x6d5a (incorrect -&gt; 0xe280), seq 2761:2846, ack 2228, win 24576, length 85<BR />11:18:49.767459 IP (tos 0x0, ttl 63, id 63338, offset 0, flags [DF], proto TCP (6), length 109)<BR />FMC IP.8302 &gt; SIEM IP.25996: Flags [FP.], cksum 0x9e45 (correct), seq 2228:2297, ack 2761, win 191, length 69<BR />11:18:49.767544 IP (tos 0x0, ttl 63, id 59607, offset 0, flags [DF], proto TCP (6), length 40)<BR />FMC IP.8302 &gt; SIEM IP.25996: Flags [R], cksum 0xf4a1 (correct), seq 783522214, win 0, length 0<BR />11:18:49.767555 IP (tos 0x0, ttl 64, id 60755, offset 0, flags [DF], proto TCP (6), length 40)<BR />SIEM IP.25996 &gt; FMC IP.8302: Flags [.], cksum 0xd827 (correct), ack 2298, win 24576, length 0<BR />11:18:49.767692 IP (tos 0x0, ttl 64, id 60756, offset 0, flags [DF], proto TCP (6), length 109)<BR />SIEM IP.25996 &gt; FMC IP.8302: Flags [FP.], cksum 0x6d4a (incorrect -&gt; 0xdb0c), seq 2846:2915, ack 2298, win 24576, length 69<BR />11:18:49.767767 IP (tos 0x0, ttl 63, id 59608, offset 0, flags [DF], proto TCP (6), length 40)<BR />FMC IP.8302 &gt; SIEM IP.25996: Flags [R], cksum 0xf45b (correct), seq 783522284, win 0, length 0<BR />11:18:49.767907 IP (tos 0x0, ttl 63, id 59609, offset 0, flags [DF], proto TCP (6), length 40)<BR />FMC IP.8302 &gt; SIEM IP.25996: Flags [R], cksum 0xf45b (correct), seq 783522284, win 0, length 0<BR />11:18:55.781068 IP (tos 0x0, ttl 64, id 50851, offset 0, flags [DF], proto TCP (6), length 52)</P> Fri, 31 Jan 2020 11:35:49 GMT https://community.cisco.com/t5/network-security/estreamer-log-collection/m-p/4021614#M1010239 True Warrior 2020-01-31T11:35:49Z https://community.cisco.com/t5/network-security/estreamer-log-collection/m-p/4022016#M1010240 Hi<BR /><BR />Did you make sure the connection is working when testing from fmc? All certificates are exchanged between the 2 systems?<BR />Can you check the status from the expert mode: manage_estreamer.pl status<BR /><BR />Here a doc showing how to enable it (start and stop if already enabled):<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/ConfiguringEstreamer.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/estreamer/EventStreamerIntegrationGuide/ConfiguringEstreamer.html</A><BR /> Sat, 01 Feb 2020 04:46:13 GMT https://community.cisco.com/t5/network-security/estreamer-log-collection/m-p/4022016#M1010240 Francesco Molino 2020-02-01T04:46:13Z