topic Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""? in Splunk Enterprise Security

Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Wed, 24 Jun 2015 07:12:55 GMT

Hello,

I installed the Splunk App for Enterprise Security (simple deployment). I get many error messages :

msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list could not be written to disk"

msg="A threat intelligence download has failed" stanza="mozilla_public_suffix_list" status="threat list could not be written to disk"

Could someone help me please ?

Regards

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

alacercogitatus — Wed, 24 Jun 2015 11:48:08 GMT

I believe this is a known bug.

All you should have to do is find this script - confcheck_failed_threat_download.py and change this line:
job = splunk.search.dispatch(srch, sessionKey=session_key, earliest=earliest)
to this line:
job = splunk.search.dispatch(srch, sessionKey=session_key, earliestTime=earliest)

@bosburn_splunk, correct me if I'm wrong.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

bosburn_splunk — Wed, 24 Jun 2015 12:18:20 GMT

That fix was for a different error:
"A threat intelligence download has failed" stanza=“stanza_name" status="threat list download failed after multiple retries"

This one sounds like a permissions issue. Are you running Windows? Have you checked the permissions on the destination file that it's trying to overwrite?

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Wed, 24 Jun 2015 20:17:57 GMT

Yes i'M running splunk on Windows.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Thu, 25 Jun 2015 22:53:15 GMT

How could find the destination file ? there was no information about it !

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

mdessus_splunk — Fri, 26 Jun 2015 07:59:07 GMT

Hi, does the host has internet access ? Through a proxy ?
Does the download script runs manualy ?

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Fri, 26 Jun 2015 08:03:46 GMT

Hi, no the host didn't have internet access.
Which script ?

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

mdessus_splunk — Fri, 26 Jun 2015 09:20:06 GMT

If the search head does not have internet access, even through a proxy, ES will be unable to download the threat lists. You don't need to look further !

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Tue, 30 Jun 2015 07:42:12 GMT

Now, the search head has internet access. But i still have the same errors !

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

mdessus_splunk — Tue, 30 Jun 2015 17:16:43 GMT

Afef, the Threat list are downloaded from internet !
If you do not have internet access, just disable the threat lists, or copy them locally and modify them.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef — Tue, 30 Jun 2015 17:42:54 GMT

The search head and the indexer had access to internet but I Still get thé same message errors.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

mdessus_splunk — Tue, 30 Jun 2015 23:34:35 GMT

Only the SH needs Internet access.
And check if the following script is running :
/opt/splunk/bin/splunk cmd python ./threatlist.py
(you may add a -v after python if needed).

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

serwin — Wed, 08 Jul 2015 20:42:57 GMT

Afef,

If you're running 6.2.3, here is the location of the threatlists. I just found mine and the folder was indeed read only.

C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

serwin — Fri, 10 Jul 2015 18:14:57 GMT

I just fixed the same error. My ES Windows deployment, the folder
C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel
was set to ready-only. Quick change of the settings and everything is running smoother.

Good luck!

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

neelamssantosh — Mon, 14 Sep 2015 04:32:11 GMT

Still No luck , after changing the Permissions.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

japala — Fri, 16 Sep 2016 17:20:57 GMT

Where do i find this file in the linux system? i tried the /Splunk_home/etc/apps but couldn't find this "SA-ThreatIntelligence" app..

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

tryan65 — Mon, 31 Oct 2016 16:09:24 GMT

Well I did find the proper location under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data but the permissions seem fine. Any other thoughts?

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

season88481 — Tue, 29 Sep 2020 13:04:35 GMT

Hi our ES is 4.5.1. So I checked the confcheck_failed_threat_download.py. Looks like the line been updated already. Possible the bug been fixed? However, I still getting some error. Most of the stanza been downloaded successfully. Only emerging_threats_ip_blocklist AND iblocklist_tor download failed.

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

mrgibbon — Fri, 30 Jun 2017 00:25:12 GMT

Is it:
earliest_time=earliest
OR
earliestTime=earliest
For this fix? There is a different post with that variation.
Thanks

Re: Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

jamesbrock — Mon, 18 Sep 2017 16:24:40 GMT

This has been happening to me for about 2 weeks. I've tried or checked everything I could find on Splunk answers but still get the error. The file permissions are correct and the file is actually downloaded but we still get the error. I've disabled the download but still get the error. I've checked the python script and it already has the updated line.

A threat intelligence download has failed. stanza="malware_domains" host="servername" status="threat list download failed after multiple retries"

we currently run Splunk on a windows 2012 r2 server, Splunk 6.6.0 and ES App Version 4.7.1 App Build 17