cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2558
Views
5
Helpful
1
Comments
Vibhor Amrodia
Cisco Employee
Cisco Employee

Symptoms

If you are encountering an issue with the AMP Event Stream and are unable to connect to an event stream resource using the AMQP protocol or Splunk AMP for Endpoints Event Stream Input app.

Diagnosis

During a recent update to address issues with the event streaming API, the queue credentials may have been reset.

Solution

There are two ways by which you can reset the Event Stream: -

1) If you are using the Splunk App:

Within the Splunk console or heavy forwarder with the AMP for Endpoints Events Input app installed:

Determine which inputs are not working and delete them - noting the existing event types and groups selections:

Splunk console > AMP for Endpoints Events Input > Inputs > Delete

Finally, re-create them using the same event types and groups selections

Splunk console > AMP for Endpoints Events Input > New Input (enter in data) > Save


2) In case you are not using Splunk App, you can reset the Event Stream using the REST API

List out the event streams on your organization using the REST API:

GET v1/event_streams

Determine which event streams are no longer working. If you do not have the existing credentials, you will have to delete and re-create the stream: 

DELETE v1/event_streams/{:id}

Create the new event stream using the REST API:
POST v1/event_streams

Please ignore the message if you have validated that your event streams are working properly. We apologize for any inconvenience and appreciate your patience as we continue to improve our product functionality.

Comments
MichaelErana
Level 1
Level 1

This is helpful. However, I use QRadar with their provided DSM for AMP and that's been crippled since this update.

 

I've followed the instructions in creating a new Event Stream and that still fails.

 

QRadar DSM Error messageQRadar DSM Error message

I'd welcome the opportunity to act as a bridge between Cisco AMP support and IBM support to hash out this issue.

 

Thanks for your attention.

 

Michael Eraña, CISA, CISSP

“Dance like no one’s watching. Encrypt like everyone is.”

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: