Hi,
We are trying to implement Sophos Central App for Splunk but it does not seem to estalbish a connection with Central API. After adding the credentials and restarting Splunk, there is no data being retrieved for the sourcetype = sophos:central:alert
. All dashboard panels are blank.
In the logs, we see the following:
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" No handlers could be found for logger "splunk.rest"
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Traceback (most recent call last):
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 91, in <module>
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" main()
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 31, in main
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 13, in getCredentials
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Exception: Could not get sophos_central credentials from splunk. Error: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/sophos_central/admin/passwords: [Errno 111] Connection refused',)
05-10-2018 09:34:57.075 -0400 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py
05-10-2018 09:34:57.075 -0400 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" Traceback (most recent call last):
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 87, in <module>
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" main()
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 31, in main
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 17, in getCredentials
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" if "central.sophos.com" in c['realm']:
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" TypeError: argument of type 'NoneType' is not iterable
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Traceback (most recent call last):
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 91, in <module>
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" main()
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 31, in main
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 17, in getCredentials
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" if "central.sophos.com" in c['realm']:
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" TypeError: argument of type 'NoneType' is not iterable
Another answer mentioned some corruption issues and suggested to re-add the authorization string to the "password" section of password.conf. https://answers.splunk.com/answers/606523/sophos-central-app-for-splunk-execprocessor-error.html?utm...
Did that but still same error. Also, we do not see the credentials getting loaded under https://Splunk_Indexer:8089/service/storage/passwords
How can we troubleshoot this further? Any ideas? Not sure if the issue is with the App or the way Splunk is storing the password..
Many Thanks,
~ Abhi
Hi There, I am the original creator of this app.
I have just posed this notice as Sophos have released their own supported version of this App.
I am unable to easily support the old application as I no longer have access to a Sophos Central Subscription.
Thanks for your support, but your most reliable future path is probably with the new Sophos app as they will be able to better support you today and in the future.
If you have any questions, feel free to ask.
Happy Splunking
Nick
Hi There, I am the original creator of this app.
I have just posed this notice as Sophos have released their own supported version of this App.
I am unable to easily support the old application as I no longer have access to a Sophos Central Subscription.
Thanks for your support, but your most reliable future path is probably with the new Sophos app as they will be able to better support you today and in the future.
If you have any questions, feel free to ask.
Happy Splunking
Nick
Thanks Nick.
Thanks Nick!
Again xpost -
Here is the links for the new Splunk Add-On:
https://splunkbase.splunk.com/app/4096/
https://splunkbase.splunk.com/app/4097/
What version of the app are you using? Someone else reported that the py file contained typos:
https://answers.splunk.com/answers/546351/error-in-script-sophos-alertspy-for-sophos-central.html
I noticed that I was not getting my
alert logs. I found that in Line #2 of
bin/sophos_alerts.py there was a
missing "i" for import.Also had to remove the reverence to
'name' in the print line #87. FYI.
Hi davey1985,
Thanks for the info. We are using the latest app available, i.e. 1.0.5. Also, I double checked those typos mentioned in that answer and they are no longer present in this latest version. So I am assuming some other issue..
Thanks,
~ Abhi