topic Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"? in Splunk Search

Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Mon, 28 Sep 2020 18:27:42 GMT

Hello,

we have configured Splunk_TA_cisco-ips. We set up everything as per the guide, but we keep getting this error if we search:

index="_internal" sourcetype="sdee_connection"

Tue Dec 16 17:51:55 2014 - Could not get IPS x.x.x.x credentials from splunk: SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/Splunk_TA_cisco-ips/storage/passwords: [Errno 111] Connection refused',)

The credentials that we use are working as we tried to access the system. Can it be something else ?

Thanks

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Mon, 28 Sep 2020 18:23:55 GMT

That error is not saying the credentials are wrong, it is saying the script that queries the IPS could not load the credentials with which to try.

Can you verify that you have a credential defined in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/app.conf? We can determine next steps based on that info.

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Thu, 18 Dec 2014 13:27:04 GMT

Hi,

yes we have:

[credential:x.x.x.x:xxxx:]
password = xxxxxx

[install]
is_configured = 1

Thanks

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Mon, 28 Sep 2020 18:24:00 GMT

Thanks for checking, Arber. That certainly looks correct. Does the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf also look like this (i.e. disabled=false, passAuth=splunk-system-user):

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15]
disabled = false
interval = 1
passAuth = splunk-system-user 
<snip />

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

whistj — Mon, 28 Sep 2020 18:24:03 GMT

I seem to have the same issue. Working with a support engineer he had me test from the command line using:
./splunk cmd python /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15
That returns "invalid command-line arguments"

If I place the username and password on the commandline prior to ips_host it executes but fails reading:

Wed Dec 17 15:45:32 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - Attempting to connect to sensor: ips_host

Wed Dec 17 15:45:32 2014 - INFO - Successfully connected to: ips_host

Wed Dec 17 15:45:32 2014 - ERROR - Connecting to sensor - ips_host: URLError:

if I use curl from the commandline (--insecure to accept my self-signed cert)
curl --insecure --user ADMINUSER:PASSWORD https://ips_host/cgi-bin/sdee-server

I get the expected XML data

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Mon, 28 Sep 2020 18:28:37 GMT

yes it is like this

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py xxxxx 15]
disabled = false
interval = 1
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Thu, 18 Dec 2014 15:33:35 GMT

Thank you for additional info, whistj.

The script is expecting a valid session_key for an account that can retrieve the credential (this is why the inputs.conf contains the "passAuth = splunk-system-user" setting). It is expecting to find this in stdin

You can get a session key several ways. One way is from the search app in the UI.

| rest /services/authentication/httpauth-tokens | search (userName="ADMIN_USER") searchId="" | stats first(authString) as session_key

That session_key may be passed via stdin via CLI to approximate the scripted input's behavior:

echo <actual session_key> | /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py <ips_host> 15

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Thu, 18 Dec 2014 15:39:04 GMT

Note: The above should produce the same result you're seeing from Splunk in the logs. I provided that information to eliminate the "invalid command-line arguments" when testing manually but I would expect the same error whether invoked manually or by Splunk.

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Mon, 28 Sep 2020 18:28:39 GMT

we i try to manually execute the script putting the username and password i get this:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 289, in
run(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 76, in run
open(os.path.join(RUN_DIR, host + '.run'), 'w').close()
IOError: [Errno 2] No such file or directory: '/opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/run/x.x.x.x.run'

Indeed the var/log foder inside the /opt/splunk/etc/apps/Splunk_TA_cisco-ips is not created

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Mon, 28 Sep 2020 18:24:08 GMT

Thank you Arber. That path problem has been resolved via ADDON-2386. That fix will be included in the next maintenance release. In the meantime, if you create the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log and $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/run manually, you still receive the credential related error?

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

bwooden — Thu, 18 Dec 2014 16:34:59 GMT

Arber, would your provide your Splunk version, Splunk build, and OS running Splunk?

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Thu, 18 Dec 2014 18:13:00 GMT

Splunk 6.2 build 237341 Debian 7

Thanks

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Thu, 18 Dec 2014 18:14:12 GMT

i created manually the folders but still the issue is the same.. also i get this file x.x.x.x.run but it is empty

Thanks

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

whistj — Mon, 28 Sep 2020 18:24:13 GMT

thanks, I confirm that by grabbing my session key and feeding it in I do get
Thu Dec 18 16:15:29 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Attempting to connect to sensor: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Successfully connected to: ips_host
Thu Dec 18 16:15:29 2014 - ERROR - Connecting to sensor - ips_host: URLError:

then if I ctrl+c to cancel that command I get

File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 303, in
run(username,password,sys.argv[1],sys.argv[2],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 94, in run
time.sleep(300)

Re: Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber — Mon, 28 Sep 2020 18:41:55 GMT

Hello,

we installed the new version of cisco ips addon 6.1.2 and it seems that the conenction is ok, So the script is successful logged on.
sdee_get.log

Mon Jan 19 07:18:39 2015 - INFO - Checking for exsisting SubscriptionID on host: x.x.xx
Mon Jan 19 07:18:40 2015 - INFO - SubscriptionID: sub-4-711f2b1c found for host: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Successfully connected to: x.x.x.x

the \var\log\ and var\run folders and files inside them are created automatically( didnt happen in the previous version) . But still ips_sdee.log.x.x.x.x file inside /opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log remains empty

Any idea ?