topic Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee? in All Apps and Add-ons

How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Fri, 07 Aug 2015 20:17:57 GMT

My question is similar to the below:

http://answers.splunk.com/answers/179701/splunk-db-connect-why-am-i-getting-an-error-config.html

This saga started when I upgraded to 1.2 back on July 17. At the time I was running Java 1.7. Things got a little crazy and I never noticed that I stopped getting data from ePO. Fast forward to this week when I finally noticed that my ePO dashboards weren't working. While troubleshooting, I found that I need to upgrade java to 1.8 as DB Connect 1 version 1.2 didn't work with java 1.7

I upgraded to Java 1.8 and removed versions 1.6 and 1.7. So I now have DB Connect 1 version 1.2 and I also upgraded Splunk Add-on for McAfee to version 2.1.1

Splunk is installed on CentOS 6.5 and McAfee ePO 4.6.9 is running on a Windows 2008R2 server with MSSQL 2008R2.

java bridge is now running just fine.

But here's my problem. I am still not getting any events from ePO.

I've double/triple checked that the domain/username and password are correctly entered. I don't have any errors in splunkd.log, dbx.log or jbridge.log.

However, when I go to the Splunk DB Connect app and go into the Database Info page where it had the Database Tables panel and I click the 'Fetch tables' button, I get nothing back (after, mind you, selecting the correct database in the drop down above).

Also, when I got to Settings- External Databases - mydatabase and try to re-enter the domain/username and password, I get this error:

Encountered the following error while trying to update: In handler 'databases': Error connecting to database: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2043][11550][4.19.26] Exception java.net.ConnectException: Error opening socket to server /x.x.x.x on port 3,700 with message: Connection refused. ERRORCODE=-4499, SQLSTATE=08001

And if I go to Settings - Database Inputs - myinput and (without changing anything) click save, I get this error:

Encountered the following error while trying to update: Splunkd daemon is not responding: (u'Error connecting to /servicesNS/-/dbx/dbx/dbmon/dbmon-tail%3A%252F%252Fmcafee_epo_4_db%252Fta_mcafee_epo_4_input: The read operation timed out',)

and finally, if I got to the app itself and go to settings - Splunk DB Connect configuration and click save (with or without changing anything), I get the following error:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/dbx/dbx/install/java

I'm wondering what else I can do. The two things I know I have not tried are 1) Uninstall and reinstall DB Connect 1 and 2) Install and use DB Connect 2.

Suggestions?

Thanks.

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

masonmorales — Fri, 07 Aug 2015 21:41:21 GMT

Can you do a telnet to your database from the Splunk server you are running DB Connect on? Connection refused seems to imply a firewall issue.
Use DB Connect v2 it's much more reliable and easier to use than v1.

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

tskinnerivsec — Fri, 07 Aug 2015 23:48:10 GMT

After you upgraded your java version, did you verify in dbconnect that you configured the app with the new, correct java path? Also, I don't remember dbx2 coming with the jar file for the driver. Take a look at this answers post which clears a couple things up.

http://answers.splunk.com/answers/233188/db-connect-and-java-versions.html

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Mon, 10 Aug 2015 13:53:48 GMT

I can telnet to that port and it accepts that connection.

The path is right.

putting the driver .jar files didn't help.

I'm going to try and install DBX2 to see if that works...

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Mon, 10 Aug 2015 14:24:29 GMT

Disabled DB Connect 1 and tried installing DB Connect 2. Followed the instructions for configuring.

This is what I get now:

If I try MS SQL server using MS Generic Driver with Windows authentication both with and without checking SSL:
Validating connection with URL [jdbc:sqlserver://x.x.x.x:1433;databaseName=DATABASENAME;selectMethod=cursor;integratedSecurity=true;encrypt=true;trustServerCertificate=true] failed: com.microsoft.sqlserver.jdbc.SQLServerException:com.microsoft.sqlserver.jdbc.SQLServerException: This driver is not configured for integrated authentication. ClientConnectionId:XXXXXXXXXXXXXXXXXXXXXXXXXXXX

If I try MS SQL server using MS Generic Driver both with and without SSL

Validating connection with URL [jdbc:sqlserver://x.x.x.x:1433;databaseName=DATABASENAME;selectMethod=cursor;encrypt=true;trustServerCertificate=true] failed: com.microsoft.sqlserver.jdbc.SQLServerException:com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'DOMAIN/username'. ClientConnectionId:XXXXXXXXXXXXXXXXXX

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

tskinnerivsec — Mon, 10 Aug 2015 15:19:12 GMT

does the DOMAIN/username account exist in your MSSQL instance and does it have access rights to the ePO database?

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

jcoates_splunk — Sat, 19 Sep 2015 20:02:46 GMT

We recently released 1.2.1 with the capability to use Java 7 and 8, to assist with this kind of transition.

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

tskinnerivsec — Sat, 19 Sep 2015 23:59:51 GMT

I've always had issues getting dbx v2 to tail rising column correctly and never had that issue with dbx 1.x

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Mon, 21 Sep 2015 14:50:42 GMT

Yes. Verified by using MS SQL Studio Manager and connecting to the DB that way.

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Mon, 21 Sep 2015 14:51:05 GMT

I'm at 1.2.1 for DB Connect 1

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

dbabanov — Fri, 09 Oct 2015 07:27:57 GMT

hi!
do you resolve your problem?

I have same error.

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Fri, 09 Oct 2015 12:18:49 GMT

No, I now have a support ticket in. Also, I upgraded from 6.2 to 6.3 and that broke other things (sigh) and I have a ticket in for that. If/when this gets fixed, I'll post an update. (on a side note, I've had problems connecting to ePOs DB with other SIEMs as well)

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

tskinnerivsec — Fri, 09 Oct 2015 12:49:20 GMT

ePO database seems to have been causing everyone else issues for year. When will McAfee ever wise up and include an option to dump a copy of log files to filesystem like Symantec (one of the only features that I really like about their AV management console)

Re: How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4 — Fri, 04 Dec 2015 18:35:03 GMT

On wrap up, I have the latest version of DB Connect 1 (1.2.2) and java 1.7 and I finally got the connection working.

1.2.2 says it works with java 1.8, but I'm staying with what works for now....