Hello,
This TA is using only the deprecated legacy key-based APIs access
Based on your last CS communication, the end date for this kind of access is the October 29th, 2020
Are you planning to update this TA accordingly or it is going to be abandoned and removed from splunkbase ?
Thank you for your support
A see a CrowdStrike Falcon Event Streams Technical Add-On has just been released with oAuth support and is the replacement for CrowdStrike Falcon Endpoint Add-on.
https://splunkbase.splunk.com/app/5082/#/overview
However, it states only version 8 compatibility at the moment, which I hope is just due to the fact they have not tested against older versions yet.
Hello,
Yes same remark about the splunk 8+ only
I just tried it on a splunk heavy forwarder running version 7.3.6 and I am getting the following error
2020-07-14 16:17:48,687 ERROR pid=22745 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/ta_crowdstrike_falcon_event_streams/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/crowdstrike_event_streams.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 321, in collect_events
crowdstrike_client()
File "/opt/splunk/etc/apps/TA-crowdstrike-falcon-event-streams/bin/input_module_crowdstrike_event_streams.py", line 189, in crowdstrike_client
token_result, token_message, token_url= Stream().get_token(clientid, secret, api_endpoint, proxy)
TypeError: 'NoneType' object is not iterable
Edit: I have the same failure with splunk 8.0.4.1and the default setting of python in the server.confpython.version = python2 🤔Edit2: Still the same error withpython.version = python3 😓
Edit3: Ok I have regenerated my api credential and it was the reason of the error ( really bad catch )
Now it is spamming an offset errors but maybe it is normal
2020-07-15 07:46:14,342 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Event Written
2020-07-15 07:46:14,342 ERROR pid=15876 tid=Thread-1 file=Stream_Attributes.py:record_offsets:116 | Failed to record offsets to offsets file.
2020-07-15 07:46:14,376 INFO pid=15876 tid=Thread-1 file=base_modinput.py:log_info:295 | Offset recording to KV store: XXXX_Detections_feed_num_0 {u'https://firehose.crowdstrike.com/sensors/entities/datafeed/v1/0?appId=splunk_qualif': XXXXX}
Edit4:
For the error in edit3, it is the creation of an empty dir in TA-crowdstrike-falcon-event-streams/bin/offsets that is missing, so python is failing to manage files here.
Note that is app is deployed, it is important to add it to the exclusion to not loose its contain
There will be a OAuth2 version very soon. It's currently being tested.
Nothing yet. The team is testing it currently but should be released in late July.
Will the new version support Splunk 7.2/7.3?
Any update on new CrowdStrike Supports OAuth2 based authentications.?
Any update on this?