All Apps and Add-ons

SSL Certificate Failures in Sophos Add-on for Splunk

Path Finder


I'm trying to get the Sophos Add-on for Splunk set up to begin ingesting logs from Sophos Central, but I'm running into some errors.

First, I saw the following message in Splunk:

msg="A script exited abnormally" input="/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/" stanza="sophos_central_events://SophosCentralEvents" status="exited with code 1"

searching through the sourcetypes "sophos:central:events" and "sophos:central:alerts" showed events that only say errorCode=403

Searching through /opt/splunk/var/log/splunk/sophosaddonforsplunk_sophos_central_events.log revealed the following errors:
2019-01-18 16:42:55,383 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:42:56,544 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:42:58,597 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:43:00,622 INFO pid=642 tid=MainThread | Log level is not set, use default INFO
2019-01-18 16:43:00,623 INFO pid=642 tid=MainThread | Use HTTP connection pooling
2019-01-18 16:43:00,624 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:43:00,645 INFO pid=642 tid=MainThread | Proxy is not enabled!
2019-01-18 16:43:00,791 ERROR pid=642 tid=MainThread | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/", line 127, in stream_events
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/", line 80, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/", line 89, in collect_events
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/splunk_aoblib/", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)

However, looking at the CA certificates being looked at by the python scripts, which for me are located in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, everything looks normal. These are the same SSL certificates that have worked to connect to other cloud apps (such as our two-factor authentication) for logs.

Has anyone else run into this issue? Is there a fix? I haven't been able to find any, and there is no documentation on this add-on.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...