All Apps and Add-ons

How to configure Sophos Add-on for Splunk?

New Member

We're a Splunk Cloud customer. I understand we can't install this add-on to our search head because inputs are not allowed on the SH for Splunk Cloud. So, I installed it on an on-prem heavy forwarder that's already sending a bunch of data to Splunk Cloud and configured the inputs through the web interface with all of the required information, which included the API Gateway, API Key and Authorization. Everything looks to be in order, but I'm not seeing any data in Splunk Cloud in the index I configured. I checked the /opt/splunk/etc/apps/SophosAddOnForSplunk/local/inputs.conf file and everything there looks proper. I also checked firewall logs and I don't see any attempts to reach Sophos Central. The add-on didn't come with any documentation so I'm not sure where to begin troubleshooting. Any help appreciated!

0 Karma
1 Solution

Explorer

I'm also having a similar issue, the add-on creates sophosaddonforsplunk_sophos_central_events.log & sophosaddonforsplunk_sopho_central_alerts.log in $SPLUNK_HOME/var/log/. Do you see any errors in that log?

View solution in original post

0 Karma

Explorer

I'm also having a similar issue, the add-on creates sophosaddonforsplunk_sophos_central_events.log & sophosaddonforsplunk_sopho_central_alerts.log in $SPLUNK_HOME/var/log/. Do you see any errors in that log?

View solution in original post

0 Karma

New Member

I do actually. Didn't realize those logs existed so thanks for pointing them out. Looks like both logs repeat the error "HTTPError: HTTP 402 Payment Required -- Requires license feature='KVStore'". Here's the full text:

2018-11-06 17:58:52,747 INFO pid=58417 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2018-11-06 17:58:52,748 INFO pid=58417 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2018-11-06 17:58:52,753 WARNING pid=58417 tid=MainThread file=utils.py:wrapper:157 | Run function: _get_collection_data failed: Traceback (most recent call last):
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/utils.py", line 154, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/modular_input/checkpointer.py", line 190, in _get_collection_data
kvstore.get(name=collection_name)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/client.py", line 1648, in get
return super(Collection, self).get(name, owner, app, sharing, **query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/client.py", line 746, in get
**query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 287, in wrapper
return request_fun(self, *args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 69, in new_f
val = f(*args, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 665, in get
response = self.http.get(path, self._auth_headers, **query)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 1160, in get
return self.request(url, { 'method': "GET", 'headers': headers })
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/solnlib/packages/splunklib/binding.py", line 1221, in request
raise HTTPError(response)
HTTPError: HTTP 402 Payment Required -- Requires license feature='KVStore'

Looks like my heavy forwarder needs a feature license from Splunk?

0 Karma

Communicator

Yes, if you need KVStore feature in your HF then you need an Enterprise License

0 Karma

Explorer

@twinpeakslog

I am having an issue as well. Here are the logs from the file. Any ideas?

Traceback (most recent call last):
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sopho_central_alerts.py", line 80, in collect_events
input_module.collect_events(self, ew)
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/input_module_sopho_central_alerts.py", line 92, in collect_events
response.raise_for_status()
File "/splunkent/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/models.py", line 893, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 403 Client Error: Forbidden for url: https://api1.central.sophos.com/gateway/siem/v1/alerts/?limit=1000&from_date=1580236344

0 Karma

Engager

I am having the same issue. Did you end up resolving this?

0 Karma

New Member

Well an HTTP 403 is a permissions or authentication issue. I would verify that details of the API token you are using.

0 Karma

Explorer

Is your heavy forwarder pointing to your license master? Also theres an option to turn on debug debug logging, that might provide better insight.

0 Karma

New Member

Thank you for the help! I worked with Splunk support to install a full "Splunk Cloud Enterprise Subscription" license on the heavy forwarder, and that resolved the KVStore feature error message. I now have Sophos Central logs in our Splunk Cloud instance. It's possible that simply pointing the heavy forwarder to my license master might have resolved the issue, too.

It's weird because the heavy forwarder already had the "Splunk Forwarder" and "Splunk Free" licenses, and the Splunk Free licenses indicated explicitly that it includes the "KVStore" feature, so I'm not sure why the full Splunk Cloud Enterprise Subscription license was required. Splunk support didn't have an answer to that, either.

0 Karma