All Apps and Add-ons

How to configure Sophos Add-on for Splunk?

wmcglasson_ccu
New Member

We're a Splunk Cloud customer. I understand we can't install this add-on to our search head because inputs are not allowed on the SH for Splunk Cloud. So, I installed it on an on-prem heavy forwarder that's already sending a bunch of data to Splunk Cloud and configured the inputs through the web interface with all of the required information, which included the API Gateway, API Key and Authorization. Everything looks to be in order, but I'm not seeing any data in Splunk Cloud in the index I configured. I checked the /opt/splunk/etc/apps/SophosAddOnForSplunk/local/inputs.conf file and everything there looks proper. I also checked firewall logs and I don't see any attempts to reach Sophos Central. The add-on didn't come with any documentation so I'm not sure where to begin troubleshooting. Any help appreciated!

0 Karma
1 Solution

twinpeakslog
Explorer

I'm also having a similar issue, the add-on creates sophosaddonforsplunk_sophos_central_events.log & sophosaddonforsplunk_sopho_central_alerts.log in $SPLUNK_HOME/var/log/. Do you see any errors in that log?

View solution in original post

0 Karma

twinpeakslog
Explorer

I'm also having a similar issue, the add-on creates sophosaddonforsplunk_sophos_central_events.log & sophosaddonforsplunk_sopho_central_alerts.log in $SPLUNK_HOME/var/log/. Do you see any errors in that log?

0 Karma

wmcglasson_ccu
New Member

I do actually. Didn't realize those logs existed so thanks for pointing them out. Looks like both logs repeat the error "HTTPError: HTTP 402 Payment Required -- Requires license feature='KVStore'". Here's the full text:

2018-11-06 17:58:52,747 INFO pid=58417 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-11-06 17:58:52,748 INFO pid=58417 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-11-06 17:58:52,753 WARNING pid=58417 tid=MainThread file=utils.py:wrapper:157 | Run function: _get_collection_data failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/utils.py", line 154, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/modular_input/checkpointer.py", line 190, in _get_collection_data
kvstore.get(name=collection_name)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/client.py", line 1648, in get
return super(Collection, self).get(name, owner, app, sharing, **query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/client.py", line 746, in get
**query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 287, in wrapper
return request_fun(self, *args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 69, in new_f
val = f(*args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 665, in get
response = self.http.get(path, self._auth_headers, **query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 1160, in get
return self.request(url, { 'method': "GET", 'headers': headers })
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 1221, in request
raise HTTPError(response)
HTTPError: HTTP 402 Payment Required -- Requires license feature='KVStore'

Looks like my heavy forwarder needs a feature license from Splunk?

0 Karma

guarisma
Contributor

Yes, if you need KVStore feature in your HF then you need an Enterprise License

0 Karma

Becherer
Explorer

@twinpeakslog

I am having an issue as well. Here are the logs from the file. Any ideas?

Traceback (most recent call last):
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sopho_central_alerts.py", line 80, in collect_events
input_module.collect_events(self, ew)
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/input_module_sopho_central_alerts.py", line 92, in collect_events
response.raise_for_status()
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/models.py", line 893, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 403 Client Error: Forbidden for url: https://api1.central.sophos.com/gateway/siem/v1/alerts/?limit=1000&from_date=1580236344

0 Karma

lznger88ncc
Engager

I am having the same issue. Did you end up resolving this?

0 Karma

wmcglasson_ccu
New Member

Well an HTTP 403 is a permissions or authentication issue. I would verify that details of the API token you are using.

0 Karma

twinpeakslog
Explorer

Is your heavy forwarder pointing to your license master? Also theres an option to turn on debug debug logging, that might provide better insight.

0 Karma

wmcglasson_ccu
New Member

Thank you for the help! I worked with Splunk support to install a full "Splunk Cloud Enterprise Subscription" license on the heavy forwarder, and that resolved the KVStore feature error message. I now have Sophos Central logs in our Splunk Cloud instance. It's possible that simply pointing the heavy forwarder to my license master might have resolved the issue, too.

It's weird because the heavy forwarder already had the "Splunk Forwarder" and "Splunk Free" licenses, and the Splunk Free licenses indicated explicitly that it includes the "KVStore" feature, so I'm not sure why the full Splunk Cloud Enterprise Subscription license was required. Splunk support didn't have an answer to that, either.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...