All Apps and Add-ons

Netwitness API: Authentication failure for search app- but not full sessions app

kprior201_lilly
Path Finder

When using the search app for RSA Netwitness, I receive the following errors.
However, when I use the non-search version of the app, I have no issues with authentication.
The credentials and environments are exactly the same otherwise. I've tried using the PassAuth and configuration file authentication options, but I get the same results regardless. Any advice?

ERROR: Check settings in nwsdk_query.conf.
ERROR: Couldn't read authentication details PassAuth or from nwsdk_query.conf.
0 Karma
1 Solution

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

View solution in original post

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

kprior201_lilly
Path Finder

I did try to configure via UI, but I've reverted to the hard coding for testing at least. I saw in a different post that there may be a SSO issue, so I figured I'd start there.

The query I'm using is exactly the one you mentioned above just so I can verify functionality. I'm trying to work around the issue by creating the filter within Netwitness itself for the time being, but it's not cooperating either (of course). haha.

0 Karma

rataide
Path Finder

Hell again,

Just wondering if you were able to solve the issue?

Thank you,

Rui

rataide
Path Finder

Yes, SSO is an issue. If that is the case then hard-coded should work but you need to remove the PassAuth config setting in inputs.conf.

And yes, the approach of controlling with something on the NetWitness side is ideal as on the Splunk side it would require a restart.

So something like below would be ideal

query = select * where alert='Splunk_alert'

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...