All Apps and Add-ons

SSL Certificate Failures in Sophos Add-on for Splunk

Path Finder

Hello,

I'm trying to get the Sophos Add-on for Splunk set up to begin ingesting logs from Sophos Central, but I'm running into some errors.

First, I saw the following message in Splunk:

msg="A script exited abnormally" input="/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophos_central_events.py" stanza="sophos_central_events://SophosCentralEvents" status="exited with code 1"

searching through the sourcetypes "sophos:central:events" and "sophos:central:alerts" showed events that only say errorCode=403

Searching through /opt/splunk/var/log/splunk/sophosaddonforsplunk_sophos_central_events.log revealed the following errors:
2019-01-18 16:42:55,383 INFO pid=642 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-01-18 16:42:56,544 INFO pid=642 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-01-18 16:42:58,597 INFO pid=642 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-01-18 16:43:00,622 INFO pid=642 tid=MainThread file=setup_util.py:log_info:114 | Log level is not set, use default INFO
2019-01-18 16:43:00,623 INFO pid=642 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-01-18 16:43:00,624 INFO pid=642 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-01-18 16:43:00,645 INFO pid=642 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2019-01-18 16:43:00,791 ERROR pid=642 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophos_central_events.py", line 80, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/input_module_sophos_central_events.py", line 89, in collect_events
use_proxy=True)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/base_modinput.py", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/splunk_aoblib/rest_helper.py", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)

However, looking at the CA certificates being looked at by the python scripts, which for me are located in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, everything looks normal. These are the same SSL certificates that have worked to connect to other cloud apps (such as our two-factor authentication) for logs.

Has anyone else run into this issue? Is there a fix? I haven't been able to find any, and there is no documentation on this add-on.

0 Karma