All Apps and Add-ons
Highlighted

Cisco AMP for Endpoints Events Input app error message on ES Search Head

alt text

Background:
Splunk Enterprise version:
• Search Head – 7.1.3.1
• Indexer – 7.1.3 (Sites=2; 28 Indexers in each site)
• Enterprise Security App – 5.1.1

I did up gradation of app Cisco AMP for Endpoints Events Input from 1.1.2 to 1.1.6 and from then I am getting this ERROR messages.

I tried running script manually:

[@] /opt/splunk/etc/apps/amp4eeventsinput/bin $ ./amp4eeventsinput.py
./amp4eeventsinput.py1: import: not found [No such file or directory]
./amp4eeventsinput.py[2]: import: not found [No such file or directory]
./amp4eeventsinput.py[3]: import: not found [No such file or directory]
./amp4eeventsinput.py[4]: import: not found [No such file or directory]
./amp4eeventsinput.py[6]: from: not found [No such file or directory]
./amp4eeventsinput.py[8]: from: not found [No such file or directory]
./amp4eeventsinput.py[9]: from: not found [No such file or directory]
./amp4eeventsinput.py[10]: from: not found [No such file or directory]
./amp4eeventsinput.py: line 10: syntax error at line 13: `(' unexpected

Original script:

[@] /opt/splunk/etc/apps/amp4eeventsinput/bin $ cat amp4eeventsinput.py
import sys
import time
import traceback
import json

from splunklib.modularinput import Argument, Event, Scheme, Script

from amp4eeventsinput.ampstoragewrapper import AmpStorageWrapper
from util.logger import logger
from util.stream_consumer import StreamConsumer

class Amp4eEventsInput(Script):
# name: [description, requiredoncreate, requiredonedit]
SCHEMEARGUMENTS = {
'stream
name': ['The event stream name', True, True],
'eventtypes': ['Enter event type evtids for the stream', True, True],
'groups': ['Enter group guids for the stream', False, False],
'apihost': ['AMP for Endpoints API host', True, True],
'api
id': ['3rd Party API Client ID provided by AMP for Endpoints', True, True],
'apikey': ['API secret', True, True],
'event
typesnames': ['Event types names', True, True],
'groups
names': ['Groups names', False, False]
}

def get_scheme(self):
    scheme = Scheme('Cisco AMP for Endpoints Events Input')
    scheme.description = 'Allows creating and managing event streams from AMP for Endpoints'
    scheme.use_external_validation = False
    scheme.use_single_instance = False
    self.__add_scheme_arguments(scheme)
    return scheme

# DEPRECATED within app. Use only if necessary
# https://docs.splunk.com/Documentation/SplunkCloud/6.6.0/AdvancedDev/ModInputsValidate
def validate_input(self, validation_definition):
    pass

# Runs once on splunk restart and then gets called every time new input is created
# Checks if the stream needs to be deleted (i.e. user
# deleted it) and performs the deletion via API (?).
# Tries to set up the RabbitMQ connection with credentials from current stream.
# If stream doesn't exist yet, exits.
# Otherwise, fetches all events from queue and writes them to logs.

def streamevents(self, inputs, ew):
for input
name, _ in inputs.inputs.items():
logger.debug('Starting input ' + inputname)
inputs.metadata['name'] = input
name.split('://', 1)[-1]
stream = self.streamfrominputs(inputs)
connectiondata = stream.get('amqpcredentials')
if connectiondata is not None:
consumer = StreamConsumer(connection
data,
lambda event: self.
oneventcallback(event, ew,
{'inputname': inputname,
'host': stream.get('apihost'),
'index': stream.get('index')}))
try:
consumer.run()
break # break if we somehow have more than one input here
except Exception as e:
logger.error(traceback.format
exc())
time.sleep(3)
raise e

def __add_scheme_arguments(self, scheme):
    for name, [description, required_on_create, required_on_edit] in self.SCHEME_ARGUMENTS.items():
        scheme.add_argument(Argument(name=name,
                                     data_type=Argument.data_type_string,
                                     description=description,
                                     required_on_create=required_on_create,
                                     required_on_edit=required_on_edit))

def __stream_from_inputs(self, inputs):
    storage = AmpStorageWrapper(inputs.metadata)
   stream = storage.find_stream()
    logger.debug('Found Stream: {}'.format(stream.get('name')))
    # connection_data = stream['amqp_credentials']
    # Change this in development if we have no correct data from API
    # connection_data.update({'host': self.RMQ_HOST, 'port': self.RMQ_PORT})
    return stream

def __on_event_callback(self, event_json, ew, options):
    logger.debug('Received event with input {}'.format(options['input_name']))
    index = options['index'] if options.get('index') is not None else 'main'
    host = options['host'] if options.get('host') is not None else 'Cisco AMP for Endpoints'
    decoded_event = json.loads(event_json)
    # decoded_event['timestamp'] = time.time()  # commented out for real-time events
    event = Event(stanza=options['input_name'], data=json.dumps({'event': decoded_event}), host=host,
                  sourcetype='cisco:amp:event', index=index)
    logger.debug('Publishing event to index {} with host {}...'.format(index, host))
    ew.write_event(event)
    logger.debug('Published.')

if name == "main":
sys.exit(Amp4eEventsInput().run(sys.argv))

0 Karma
Highlighted

Re: Cisco AMP for Endpoints Events Input app error message on ES Search Head

New Member

Our app does not support being manually run from the command line. It must be configured purely by Splunk. This is why you will get an error when running the python script manually.

## Expected errors when run manually, our app does not support being run outside of splunk
./amp4e_events_input.py: line 1: import: command not found
./amp4e_events_input.py: line 2: import: command not found
./amp4e_events_input.py: line 3: import: command not found
./amp4e_events_input.py: line 4: import: command not found
./amp4e_events_input.py: line 6: from: command not found
./amp4e_events_input.py: line 8: from: command not found
./amp4e_events_input.py: line 9: from: command not found
./amp4e_events_input.py: line 10: from: command not found
./amp4e_events_input.py: line 13: syntax error near unexpected token `('
./amp4e_events_input.py: line 13: `class Amp4eEventsInput(Script):'

The error you are getting from Splunk indicates that our app terminated pre-maturely. To debug further, could you post the most recent log lines from:

$SPLUNK_HOME/var/log/splunk/amp4e_events_input.log

AND

$SPLUNK_HOME/var/log/splunk/splunkd.log

AND

$SPLUNK_HOME/var/log/splunk/python_modular_input.log

Optionally, we've built in diagnostics in our app which will generate a diagnostic file and tar up some useful log files. However, this file may include sensitive information. If you are okay with this, please run:

 splunk login
 splunk diag --collect app:amp4e_events_input

And send the diagnostic file to amp4esplunksupport@cisco.com with this Splunk answers link as a reference.

0 Karma
Highlighted

Re: Cisco AMP for Endpoints Events Input app error message on ES Search Head

Thanks man.

Let me check with my Team if I can send those details.

0 Karma
Highlighted

Re: Cisco AMP for Endpoints Events Input app error message on ES Search Head

I sent diagnosis file to amp4esplunksupport@cisco.com
Subject of an email: Cisco AMP for Endpoints Events Input app error message on Enterprise Security Splunk Search Head

Please let me know if you need more details.

0 Karma