All Apps and Add-ons

SSL Certificate Failures in Sophos Add-on for Splunk

Path Finder


I'm trying to get the Sophos Add-on for Splunk set up to begin ingesting logs from Sophos Central, but I'm running into some errors.

First, I saw the following message in Splunk:

msg="A script exited abnormally" input="/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/" stanza="sophos_central_events://SophosCentralEvents" status="exited with code 1"

searching through the sourcetypes "sophos:central:events" and "sophos:central:alerts" showed events that only say errorCode=403

Searching through /opt/splunk/var/log/splunk/sophosaddonforsplunk_sophos_central_events.log revealed the following errors:
2019-01-18 16:42:55,383 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:42:56,544 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:42:58,597 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:43:00,622 INFO pid=642 tid=MainThread | Log level is not set, use default INFO
2019-01-18 16:43:00,623 INFO pid=642 tid=MainThread | Use HTTP connection pooling
2019-01-18 16:43:00,624 INFO pid=642 tid=MainThread | Starting new HTTPS connection (1):
2019-01-18 16:43:00,645 INFO pid=642 tid=MainThread | Proxy is not enabled!
2019-01-18 16:43:00,791 ERROR pid=642 tid=MainThread | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/", line 127, in stream_events
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/", line 80, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/", line 89, in collect_events
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/modinput_wrapper/", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/splunk_aoblib/", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 609, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/SophosAddOnForSplunk/bin/sophosaddonforsplunk/requests/", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)

However, looking at the CA certificates being looked at by the python scripts, which for me are located in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, everything looks normal. These are the same SSL certificates that have worked to connect to other cloud apps (such as our two-factor authentication) for logs.

Has anyone else run into this issue? Is there a fix? I haven't been able to find any, and there is no documentation on this add-on.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

Splunk Cloud Platform | New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...