All Apps and Add-ons

How to troubleshoot why I'm not getting any events from ePO with Splunk DB Connect 1 and the Splunk Add-on for McAfee?

reswob4
Builder

My question is similar to the below:

http://answers.splunk.com/answers/179701/splunk-db-connect-why-am-i-getting-an-error-config.html

This saga started when I upgraded to 1.2 back on July 17. At the time I was running Java 1.7. Things got a little crazy and I never noticed that I stopped getting data from ePO. Fast forward to this week when I finally noticed that my ePO dashboards weren't working. While troubleshooting, I found that I need to upgrade java to 1.8 as DB Connect 1 version 1.2 didn't work with java 1.7

I upgraded to Java 1.8 and removed versions 1.6 and 1.7. So I now have DB Connect 1 version 1.2 and I also upgraded Splunk Add-on for McAfee to version 2.1.1

Splunk is installed on CentOS 6.5 and McAfee ePO 4.6.9 is running on a Windows 2008R2 server with MSSQL 2008R2.

java bridge is now running just fine.

But here's my problem. I am still not getting any events from ePO.

I've double/triple checked that the domain/username and password are correctly entered. I don't have any errors in splunkd.log, dbx.log or jbridge.log.

However, when I go to the Splunk DB Connect app and go into the Database Info page where it had the Database Tables panel and I click the 'Fetch tables' button, I get nothing back (after, mind you, selecting the correct database in the drop down above).

Also, when I got to Settings- External Databases - mydatabase and try to re-enter the domain/username and password, I get this error:

Encountered the following error while trying to update: In handler 'databases': Error connecting to database: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2043][11550][4.19.26] Exception java.net.ConnectException: Error opening socket to server /x.x.x.x on port 3,700 with message: Connection refused. ERRORCODE=-4499, SQLSTATE=08001

And if I go to Settings - Database Inputs - myinput and (without changing anything) click save, I get this error:

Encountered the following error while trying to update: Splunkd daemon is not responding: (u'Error connecting to /servicesNS/-/dbx/dbx/dbmon/dbmon-tail%3A%252F%252Fmcafee_epo_4_db%252Fta_mcafee_epo_4_input: The read operation timed out',)

and finally, if I got to the app itself and go to settings - Splunk DB Connect configuration and click save (with or without changing anything), I get the following error:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/dbx/dbx/install/java

I'm wondering what else I can do. The two things I know I have not tried are 1) Uninstall and reinstall DB Connect 1 and 2) Install and use DB Connect 2.

Suggestions?

Thanks.

0 Karma
1 Solution

reswob4
Builder

On wrap up, I have the latest version of DB Connect 1 (1.2.2) and java 1.7 and I finally got the connection working.

1.2.2 says it works with java 1.8, but I'm staying with what works for now....

View solution in original post

0 Karma

reswob4
Builder

On wrap up, I have the latest version of DB Connect 1 (1.2.2) and java 1.7 and I finally got the connection working.

1.2.2 says it works with java 1.8, but I'm staying with what works for now....

0 Karma

tskinnerivsec
Contributor

After you upgraded your java version, did you verify in dbconnect that you configured the app with the new, correct java path? Also, I don't remember dbx2 coming with the jar file for the driver. Take a look at this answers post which clears a couple things up.

http://answers.splunk.com/answers/233188/db-connect-and-java-versions.html

jcoates_splunk
Splunk Employee
Splunk Employee

We recently released 1.2.1 with the capability to use Java 7 and 8, to assist with this kind of transition.

reswob4
Builder

I'm at 1.2.1 for DB Connect 1

0 Karma

reswob4
Builder

Disabled DB Connect 1 and tried installing DB Connect 2. Followed the instructions for configuring.

This is what I get now:

If I try MS SQL server using MS Generic Driver with Windows authentication both with and without checking SSL:
Validating connection with URL [jdbc:sqlserver://x.x.x.x:1433;databaseName=DATABASENAME;selectMethod=cursor;integratedSecurity=true;encrypt=true;trustServerCertificate=true] failed: com.microsoft.sqlserver.jdbc.SQLServerException:com.microsoft.sqlserver.jdbc.SQLServerException: This driver is not configured for integrated authentication. ClientConnectionId:XXXXXXXXXXXXXXXXXXXXXXXXXXXX

If I try MS SQL server using MS Generic Driver both with and without SSL

Validating connection with URL [jdbc:sqlserver://x.x.x.x:1433;databaseName=DATABASENAME;selectMethod=cursor;encrypt=true;trustServerCertificate=true] failed: com.microsoft.sqlserver.jdbc.SQLServerException:com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'DOMAIN/username'. ClientConnectionId:XXXXXXXXXXXXXXXXXX

0 Karma

tskinnerivsec
Contributor

does the DOMAIN/username account exist in your MSSQL instance and does it have access rights to the ePO database?

0 Karma

reswob4
Builder

Yes. Verified by using MS SQL Studio Manager and connecting to the DB that way.

0 Karma

dbabanov
Path Finder

hi!
do you resolve your problem?

I have same error.

0 Karma

reswob4
Builder

No, I now have a support ticket in. Also, I upgraded from 6.2 to 6.3 and that broke other things (sigh) and I have a ticket in for that. If/when this gets fixed, I'll post an update. (on a side note, I've had problems connecting to ePOs DB with other SIEMs as well)

0 Karma

tskinnerivsec
Contributor

ePO database seems to have been causing everyone else issues for year. When will McAfee ever wise up and include an option to dump a copy of log files to filesystem like Symantec (one of the only features that I really like about their AV management console)

0 Karma

masonmorales
Influencer
  1. Can you do a telnet to your database from the Splunk server you are running DB Connect on? Connection refused seems to imply a firewall issue.
  2. Use DB Connect v2 it's much more reliable and easier to use than v1.
0 Karma

reswob4
Builder

I can telnet to that port and it accepts that connection.

The path is right.

putting the driver .jar files didn't help.

I'm going to try and install DBX2 to see if that works...

0 Karma

tskinnerivsec
Contributor

I've always had issues getting dbx v2 to tail rising column correctly and never had that issue with dbx 1.x

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...