topic Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs? in Splunk Enterprise Security

How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

scottrunyon — Tue, 29 Sep 2020 12:05:04 GMT

It looks like the seven iblocklist feeds included in Splunk Enterprise Security (ES) 4.5.0 are now subscription based and ES can no longer pull them.

To try and stop the messages,
1. I disabled the feeds in Data inputs » Threat Intelligence Downloads
2. I modified the Interval to 610000 (once a week)
3. Under \local\inputs.conf[configuration_check://confcheck_failed_threat_download], added files to suppress (SOLNESS-10559 in known issues)

Every three hours, the messages show up.

What else do I need to do to stop these messages?

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

splunker288 — Thu, 22 Dec 2016 15:21:04 GMT

I'm having the same issue. I can't get these alerts to stop even after the threat feed is working again.

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

jwelch_splunk — Thu, 22 Dec 2016 17:46:06 GMT

Show me your exact errors, and I will tell you how to fix them.

E.G. is it a TAXII feed Error or is it alexa/comprimisedip

And what version are you running.

Okie

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

scottrunyon — Tue, 29 Sep 2020 12:11:42 GMT

I am receiving the following message -

msg="A threat intelligence download has failed" stanza="emerging_threats_compromised_ip_blocklist" status="threat list download failed after multiple retries"

ES version is 4.5.0

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

jwelch_splunk — Tue, 29 Sep 2020 12:11:44 GMT

Great, so for this one. I filed:
SOLNESS-11180
[PUBLIC] [CUSTOMER] Threat Intelligence: emerging_threats_compromised_ip_blocklist is no longer available for download
It seems the vendor has quit publishing this list. (We are awaiting for confirmation if they have disabled for good we will remove from product)

So please disable the feed.

Because you are running 4.5.0 you are also hitting SOLNESS-10813, so even after you disable the download, we have an issue.
To fix this delete:
$SPLUNK_HOME/var/lib/splunk/modinputs/configuration_check/confcheck_failed_threat_download

And you should be all fixed up. SOLNESS-10813 was fixed in 4.5.1

Okie

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

splunker288 — Thu, 22 Dec 2016 18:52:38 GMT

I'm seeing the exact same error and also running 4.5.0.

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

scottrunyon — Thu, 22 Dec 2016 20:34:20 GMT

I removed the file and so far I am no longer getting the messages.

Thank you for the help.

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

splunker288 — Thu, 22 Dec 2016 20:42:25 GMT

I also deleted the file and can validate the messages have stopped. Also they seem to have the feed working again.

Re: How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

jwelch_splunk — Thu, 22 Dec 2016 22:25:49 GMT

Great news all, sorry for the confusion!