All Apps and Add-ons

OPSEC LEA 2.0 Issue with auth keys

kenth
Splunk Employee
Splunk Employee

I am getting the following errors. I am guessing its because somehow its not able to retrieve the auth keys in $HOME/.splunk ... the documentation says diddlysquat about this. Anyone figured this out?

DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/splunk_opseclea/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>


call not properly authenticated

splunkd request failed, 401:
$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>


call not properly authenticated

ERROR: unable to get splunk lea config arguments
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
[root@sbidcsplfwd-slog01 bin]#

Tags (1)
0 Karma
1 Solution

dart
Splunk Employee
Splunk Employee

Further to my comment - to run this manually you need to:

SPLUNK_TOK=$auth_key
export SPLUNK_TOK

And to get the auth key:

curl -k -u admin:pass https://localhost:8089/services/auth/login   \
 -d username=admin -d password=pass

View solution in original post

dart
Splunk Employee
Splunk Employee

Further to my comment - to run this manually you need to:

SPLUNK_TOK=$auth_key
export SPLUNK_TOK

And to get the auth key:

curl -k -u admin:pass https://localhost:8089/services/auth/login   \
 -d username=admin -d password=pass

kenth
Splunk Employee
Splunk Employee

Actually I get nothing in $HOME when I run it with curl, but only if I do "splunk login".

Is it sufficient to leave passAuth = admin ?

0 Karma

kenth
Splunk Employee
Splunk Employee

Would this be the same when running inside Splunk? What directory would that be then? I suppose that would be under the user running splunk. So /home/splunk/.splunk would be $HOME....

Actually I am running as root and I am able to get credentials written to $HOME/.splunk when I manually run the curl command.

0 Karma

araitz
Splunk Employee
Splunk Employee

If splunkd is restarted, a new session key will be provided by passAuth. The problem is that your $HOME directory is not writable. Without a writable $HOME, splunk cannot store any session information on the command line.

0 Karma

kenth
Splunk Employee
Splunk Employee

I get the same error when it runs as a scripted input aswell

0 Karma

kenth
Splunk Employee
Splunk Employee

And what if splunkd is restarted?

0 Karma

araitz
Splunk Employee
Splunk Employee

This is correct, we assume that we are running as a scripted input in the Splunk runtime and that passAuth is providing us a valid Splunk session key.

0 Karma

dart
Splunk Employee
Splunk Employee

How are you testing this? The command needs to be able to get data from Splunk's API and expects to be called by Splunk which will pass in credentials. This doc runs through the options for enabling debug logging: http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Enabledebugging

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...