topic Symantec Cloud Scripted Input in Getting Data In

Symantec Cloud Scripted Input

smaat11 — Mon, 08 Jun 2020 23:53:05 GMT

Evaluating Symantec EndPoint Protection Cloud product which has a technote for getting events into Splunk Enterprise running on a Windows Server.

Created a scripted input per the Symantec Technote

Symantec Technote

however I get the following error in SPLUNKD.log

ERROR ExecProcessor - Couldn't start command ""C:\Program Files\Splunk\bin\scripts\wrapper.sh"": FormatMessage was unable to decode error (193), (0xc1)

The scripted input uses a wrapper (wrapper.sh) for calling a python script. Contents of the wrapper.sh file are

#!/bin/bash /usr/bin/python /Applications/Splunk/bin/scripts/ExportClient.py

If I try and execute the actual python script (ExportClient.py) from the command line I get the following error:

C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
File "scripts\ExportClient.py", line 8, in
import dateutil.parser
ImportError: No module named dateutil.parser

Any help is appreciated.

Re: Symantec Cloud Scripted Input

smaat11 — Tue, 27 Mar 2018 21:29:34 GMT

Went and coped the dateutil library to the /Applications/Splunk/bin/scripts/ directory, and tried re-running ExportClient.py script from the command line. THis time received the following error:

C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
  File "scripts\ExportClient.py", line 8, in <module>
    import dateutil.parser
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\__init__.py", line 2
, in <module>
    from ._parser import parse, parser, parserinfo
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\_parser.py", line 42
, in <module>
    import six
ImportError: No module named six

My guess is the Symantec Documentation is making an assumption on what python modules are installed since now it can't seem to find "six". I am running Splunk Enterprise is 6.6.1. is there difference in the python that is included with version 7 ?

Re: Symantec Cloud Scripted Input

smaat11 — Wed, 11 Apr 2018 14:09:40 GMT

Finally got back to working on this...

Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....

Anyway, I partially got this to work by:

(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.

OLD

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')

NEW

## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')

(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.

Re: Symantec Cloud Scripted Input

salax — Thu, 09 May 2019 05:30:05 GMT

Hi smaat11,

I've encountered problem while using the script for the SEPC too.
What version of Python are you running?
I had Splunk 7.2.4 and Python2.7 with below pip installation.

splunk@SplunkServer7:/opt/splunk/bin/scripts$ pip2 list
asn1crypto (0.24.0)
certifi (2019.3.9)
cffi (1.12.3)
chardet (3.0.4)
cryptography (2.6.1)
enum34 (1.1.6)
idna (2.8)
ipaddress (1.0.22)
ndg-httpsclient (0.4.0)
pip (8.1.1)
pyasn1 (0.1.9)
pycparser (2.19)
pyOpenSSL (19.0.0)
python-dateutil (2.8.0)
requests (2.7.0)
setuptools (20.7.0)
six (1.12.0)
UNKNOWN (0.0.0)
urllib3 (1.23)
wheel (0.29.0)

Excerpt of error I'm getting within Splunkd.log

05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self._send_output(message_body)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.send(msg)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 859, in send
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.connect()
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/opt/splunk/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 129, in connect
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.sock = ssl.wrap_socket(conn, self.key_file, self.cert_file)
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" AttributeError: 'NoneType' object has no attribute 'wrap_socket'

When running directly via Python, shows below error:

splunk@SplunkServer7:/opt/splunk/bin/scripts$ python ExportClient.py
Traceback (most recent call last):
  File "ExportClient.py", line 208, in <module>
    main()
  File "ExportClient.py", line 194, in main
    total_events = total_events + len(data)
TypeError: object of type 'NoneType' has no len()

Have you encountered any of these and do you have any suggestion?

Re: Symantec Cloud Scripted Input

GDustin — Tue, 15 Oct 2019 20:20:26 GMT

Any solution found?

Re: Symantec Cloud Scripted Input

nagendra1111 — Thu, 26 Mar 2020 11:42:44 GMT

Hi ,

My script is working fine.
It is able to get auth token and able to connect with SEPC cloud.
but in event export no logs are coming...but i am able to see logs in sepc console