topic Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal in All Apps and Add-ons

Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

christopherdick — Tue, 24 Mar 2015 17:03:07 GMT

I have installed Splice and MongoDB on a local search head. I can see Splice connecting to the mongod instance, however it closes the connection almost immediately. The only information I am receiving in Splunk is:

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

And the logs from Mongo show the following for a connection attempt (mongod -vv):

2015-03-24T12:58:25.088-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:41920 #1 (1 connection now open)
2015-03-24T12:58:25.089-0400 D COMMAND  [conn1] run command admin.$cmd { ismaster: 1 }
2015-03-24T12:58:25.089-0400 I COMMAND  [conn1] command admin.$cmd command: isMaster { ismaster: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:178 locks:{} 0ms
2015-03-24T12:58:25.108-0400 D NETWORK  [conn1] SocketException: remote: 127.0.0.1:41920 error: 9001 socket exception [CLOSED] server [127.0.0.1:41920]
2015-03-24T12:58:25.108-0400 I NETWORK  [conn1] end connection 127.0.0.1:41920 (0 connections now open)

I have verified the search head is able to connect outbound to the internet for updates, as well. Is there any guidance or suggestions on how to address this issue?

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

cleroux_splunk — Tue, 24 Mar 2015 19:26:38 GMT

Have you tried to use one of the provided feeds from hailataxii.com? Or what feed do you use?
Have you checked the rights on the Mongo side if you restricted it (ie: does the provided user can create a database or a collections)?

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

christopherdick — Wed, 25 Mar 2015 17:53:34 GMT

We are using the default haliataxii feeds at this time.

The user we are using to connect to the database is an admin user in the "splice" database. I've logged in and verified the ability to use the database and create collections with the user.

We are using Mongo 3.0.1 right now, but I can't find any documentation saying if that is supported by Splice. We may attempt a downgrade to 2.6 - I know the default authentication method has changed from MONGODB-CR to SCRAM-SHA-1 and I don't think the version of pymongo that ships with Splice supports SCRAM-SHA-1. For what it's worth, I have tried forcing MONGODB-CR in the connection URL, but it has no effect.

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

klaxdal — Thu, 16 Apr 2015 01:02:20 GMT

I am having the same issue - did you resolve it ?

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

cleroux_splunk — Thu, 16 Apr 2015 14:36:17 GMT

It might be linked to an improper IOC definition. You can try to add a local directory monitor (Data Inputs > IOC - Mount Point) and add an IOC in there. If there is no issues with the mongo configuration the IOC should be added to the mongo (so the issue is related to what's carried over the taxii feed). If you do have an IOC file that make SPLICE fails, please send it to me via email.

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

klaxdal — Thu, 16 Apr 2015 17:03:11 GMT

Thanks for the response - what version of MongoDB is compatible ?

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

cleroux_splunk — Thu, 16 Apr 2015 17:09:47 GMT

I've done my testing with Mongo 2.4 on a CentOS 6.x system but it doesn't means that other versions are not compatible, they simply are not tested.

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

christopherdick — Thu, 16 Apr 2015 20:22:55 GMT

Just tested on MongoDB 2.6.9 with a local mount - worked just fine (full defaults with Splice config). Used Flame malware OpenIOC (http://alienvault-labs-garage.googlecode.com/files/af2e8c80-13db-4a57-99ac-460ccd192333.ioc) and Zeus OpenIOC (http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc) to test.

Appears this might be a config problem related to hailataxii.com data sources. Will look at the configurations for those data sources again.

EDIT: Well, egg on my face. Splunk search head is making no DNS queries or outbound connections to hailataxii.com. Will run this down on the system side with the host admin.

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

klaxdal — Fri, 17 Apr 2015 21:16:45 GMT

still no joy - will try my Avalanche feed

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

cleroux_splunk — Wed, 10 Jun 2015 12:20:49 GMT

The problem is in a third party library that Splice uses (pzlocal). The problem is related to CentOS 7 which had removed one particular file the library was relying on. My testing indicates that Mongo 2.4, 2.6 and 3.0 are working correctly with Splice.

Workaround:
Create a file /etc/sysconfig/clock which contains the appropriate timezone like "Europe/Paris"

# cat /etc/sysconfig/clock
ZONE="Europe/Paris"
#

The bug is known by the library developers: https://github.com/regebro/tzlocal/issues/19

Re: Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

borgy95 — Fri, 10 Jul 2015 13:18:49 GMT

This solved the issue for me