All Apps and Add-ons
Highlighted

Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Hello Team,

We have integrated Sophos Central SaaS account with Splunk using Sophos Central app. For the API collection we have created the token in Sophos SaaS account and then followed steps as given in app documentation. The integration was successful and we started seeing the logs into our Splunk environment. However after few days ( may be after 1 day itself) we stop getting logs from Sophos ( nothing was changed in Sophos SaaS API token) and we saw below errors:

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" TypeError: argument of type 'NoneType' is not iterable
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" if "central.sophos.com" in c['realm']
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" File "/opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py", line 17, in getCredentials
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" endpoint, apiKey, auth = getCredentials(sessionKey)
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" File "/opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py", line 31, in main()

We then removed the integration thinking something went wrong with API collection and integrated again. However it again worked only for 2 days and now we again started getting same error messages as above.
Need someone to provide any feedback on this.

Regards,
Sushant Watghare

Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Ultra Champion

It sounds like something is removing your credentials from the storage endpoint.

The Sophos Central Script saves the credentials you supply in the Splunk credential management system, but if those credentials get removed (somehow) then you would see these errors.

What is your Splunk environment - are you running the Sophos app from your SearchHead? - Is your SH managed by a DS?

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Our Splunk environment is running over AWS VM' in distributed more. The Sophos collection is setup at Heavy Forwarder by installing same app, and we have installed same app in SearchHead for running dashboards. SH is not managed by DS, neither the HF.

HF have Sophos app for datacollection , putting in Index called as 'sophos' and SH have app for display of dashboards.

Regards,
SW

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Our Splunk environment is on AWS VM's on distributed mode. We have Heavy Forwarder which is configured with Sophos app for datacollection and putting it into custom index 'sophos' , we have same app on our Single SearchHead where it is used for Dashboard display.
Is this something causing issue? I do not think so as HF have the local password file which we used for API collection, SearchHead do not have any password file as it is used only to display the content - we have tweaked the searches of dashboard in a way that it search 'sophos' index.

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Ultra Champion

No, that all sounds fine to me.

What do you get if you browse to https://yourforwarder:8089/services/storage/passwords
Do you have an entry for Sophos Central?

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Strange but I do not see the Sophos Central entry in this? Do we know why is that happening, it was working all fine few days back.
How do we resolve this ? Should we again re-integrate the Sophos Integration on HF or should we have this only on SH? We are more comfortable data coming from HF , however we can do this integration directly on SH as well.
What steps we should perform to avoid this issue to re-occur again in future? any clue.

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Ultra Champion

Sadly, that is what I expected.
It seems something is removing the credentials stored in splunk.
When you install the app and configure the application credentials it should create a passwords.conf file in the app/local folder - Is this still there?

I wonder if something is removing the password file, which is causing the issue.

From the sounds of it, there is nothing wrong with the way you have it configured.

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Explorer

Got solution to this exact problem! Please see below,

** Quick summary:
Go to /opt/splunk/etc/apps/sophos_central/local/passwords.conf

update as per below:

[credential:https://api3.central.sophos.com/gateway:DONOTTOCHTHIS:]
password = DELETE
THISPARTANDPASTEAUTHORIZATIONSTRINGAGAIN

Save and restart spunk. As soon as done you will see messages coming.

alt text

** Long read,

I got similar error messages in my PoC. Tested with all-in-one Splunk 6.6.4 Windows and all-in-one Splunk 6.5.2 Linux. Was fiddling around config files, trying to understand what is going on. Checked those two (but was not able to understand much 😉
* PassAuth not working in Splunk 6.2 https://answers.splunk.com/answers/307416/passauth-not-working-in-splunk-62.html
* Scripted Input - Python SDK - passAuth Not Working https://answers.splunk.com/answers/203261/scripted-input-python-sdk-passauth-not-working.html

Later observed that once initial setup completed passwords.conf looks strange. x-api-key looks the same (as the one i copy paste) but password is not equal to Authorisation script. Password starts with $ and seems like converted to some other format. Decided to paste one more time.

Initially i thought plugin/perl dos not like API URL and was playing around encoding, for example tried to pass on https%3A%2F%2Fapi3.central.sophos.com/gateway to avoid confusions with slashes and columns.

@nickhillscpl - great work on creating plugin!!!

*** References:
Windows logs:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" Traceback (most recent call last):
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 91, in
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" main()
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 31, in main
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" endpoint, apiKey, auth = getCredentials(sessionKey)
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 17, in getCredentials
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" if "central.sophos.com" in c['realm']:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" TypeError: argument of type 'NoneType' is not iterable

Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Splunk Employee
Splunk Employee

Any chance this app/conf file were copied from another Splunk installation?

0 Karma
Highlighted

Re: Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Thank you @sergejreliance that totally resolved my issue. I wish Nick would also take this into consideration as it appears by default with the install of his TA.

0 Karma