All Apps and Add-ons

Netwitness API: Authentication failure for search app- but not full sessions app

kprior201_lilly
Path Finder

When using the search app for RSA Netwitness, I receive the following errors.
However, when I use the non-search version of the app, I have no issues with authentication.
The credentials and environments are exactly the same otherwise. I've tried using the PassAuth and configuration file authentication options, but I get the same results regardless. Any advice?

ERROR: Check settings in nwsdk_query.conf.
ERROR: Couldn't read authentication details PassAuth or from nwsdk_query.conf.
0 Karma
1 Solution

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

View solution in original post

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

kprior201_lilly
Path Finder

I did try to configure via UI, but I've reverted to the hard coding for testing at least. I saw in a different post that there may be a SSO issue, so I figured I'd start there.

The query I'm using is exactly the one you mentioned above just so I can verify functionality. I'm trying to work around the issue by creating the filter within Netwitness itself for the time being, but it's not cooperating either (of course). haha.

0 Karma

rataide
Path Finder

Hell again,

Just wondering if you were able to solve the issue?

Thank you,

Rui

rataide
Path Finder

Yes, SSO is an issue. If that is the case then hard-coded should work but you need to remove the PassAuth config setting in inputs.conf.

And yes, the approach of controlling with something on the NetWitness side is ideal as on the Splunk side it would require a restart.

So something like below would be ideal

query = select * where alert='Splunk_alert'

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...