All Apps and Add-ons

Sophos Central app for Splunk: ExecProcessor error – TypeError: argument of type 'NoneType'

Path Finder

Hello Team,

We have integrated Sophos Central SaaS account with Splunk using Sophos Central app. For the API collection we have created the token in Sophos SaaS account and then followed steps as given in app documentation. The integration was successful and we started seeing the logs into our Splunk environment. However after few days ( may be after 1 day itself) we stop getting logs from Sophos ( nothing was changed in Sophos SaaS API token) and we saw below errors:

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" TypeError: argument of type 'NoneType' is not iterable
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" if "central.sophos.com" in c['realm']
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" File "/opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py", line 17, in getCredentials
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" endpoint, apiKey, auth = getCredentials(sessionKey)
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py" File "/opt/splunk/etc/apps/sophoscentral/bin/sophosevents.py", line 31, in main()

We then removed the integration thinking something went wrong with API collection and integrated again. However it again worked only for 2 days and now we again started getting same error messages as above.
Need someone to provide any feedback on this.

Regards,
Sushant Watghare

Ultra Champion

Hi There, I am the original creator of this app.

I have just posed this notice as Sophos have released their own supported version of this App.

I am unable to easily support the old application as I no longer have access to a Sophos Central Subscription.
Thanks for your support, but your most reliable future path is probably with the new Sophos app as they will be able to better support you today and in the future.

If you have any questions, feel free to ask.
Happy Splunking

Nick

0 Karma

Engager

I don't think Splunk 7.x supports the import splunk.entity as entity in splunklib.

I just modified getCredentials to hardcode endpoint, apiKey and auth and returned them from that function. Commented out the rest and it will start working. Not ideal but there is an issue with the entities = entity.getEntities call.

Ideally you would rewrite that function to use splunklib.client and make a call to storage_passwords to populate those 3 fields but I didn't have time to figure that out yet.

endpoint, apiKey, auth = getCredentials(sessionKey)

0 Karma

Splunk Employee
Splunk Employee

I downvoted this post because it recommends hardcoding credentials, which is a big security risk and should never be advised.

0 Karma

Splunk Employee
Splunk Employee

HI @sloftis2016, can you please provide your code changes made on getCredentials. Thanks!

0 Karma

Explorer

Got solution to this exact problem! Please see below,

** Quick summary:
Go to /opt/splunk/etc/apps/sophos_central/local/passwords.conf

update as per below:

[credential:https://api3.central.sophos.com/gateway:DONOTTOCHTHIS:]
password = DELETE
THISPARTANDPASTEAUTHORIZATIONSTRINGAGAIN

Save and restart spunk. As soon as done you will see messages coming.

alt text

** Long read,

I got similar error messages in my PoC. Tested with all-in-one Splunk 6.6.4 Windows and all-in-one Splunk 6.5.2 Linux. Was fiddling around config files, trying to understand what is going on. Checked those two (but was not able to understand much 😉
* PassAuth not working in Splunk 6.2 https://answers.splunk.com/answers/307416/passauth-not-working-in-splunk-62.html
* Scripted Input - Python SDK - passAuth Not Working https://answers.splunk.com/answers/203261/scripted-input-python-sdk-passauth-not-working.html

Later observed that once initial setup completed passwords.conf looks strange. x-api-key looks the same (as the one i copy paste) but password is not equal to Authorisation script. Password starts with $ and seems like converted to some other format. Decided to paste one more time.

Initially i thought plugin/perl dos not like API URL and was playing around encoding, for example tried to pass on https%3A%2F%2Fapi3.central.sophos.com/gateway to avoid confusions with slashes and columns.

@nickhillscpl - great work on creating plugin!!!

*** References:
Windows logs:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" Traceback (most recent call last):
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 91, in
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" main()
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 31, in main
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" endpoint, apiKey, auth = getCredentials(sessionKey)
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" File "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py", line 17, in getCredentials
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" if "central.sophos.com" in c['realm']:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophoscentral\bin\sophosevents.py"" TypeError: argument of type 'NoneType' is not iterable

Path Finder

Thank you @sergejreliance that totally resolved my issue. I wish Nick would also take this into consideration as it appears by default with the install of his TA.

0 Karma

Path Finder

It appears this did not work and I have a case open with Sophos now. I did see the same manipulation and therefore assumed that this was the root cause however upon restart of Splunk, there were still no events in the Sophos index. Does anyone know if there is something specific that needs to be added to inputs.conf in addition to the settings in the app (because I do not see this in settings > data inputs)?

I have Splunk 6.6.6

0 Karma

Engager

Hi Brian,
I end up using the scripts sophos have https://github.com/sophos/Sophos-Central-SIEM-Integration
Created 2 cron schedules to run the 2 python scripts to generate the files and monitored each one of the files on the inputs.conf. Workaround till the TA is fixed.

0 Karma

Splunk Employee
Splunk Employee

Any chance this app/conf file were copied from another Splunk installation?

0 Karma

Ultra Champion

It sounds like something is removing your credentials from the storage endpoint.

The Sophos Central Script saves the credentials you supply in the Splunk credential management system, but if those credentials get removed (somehow) then you would see these errors.

What is your Splunk environment - are you running the Sophos app from your SearchHead? - Is your SH managed by a DS?

0 Karma

Path Finder

Our Splunk environment is on AWS VM's on distributed mode. We have Heavy Forwarder which is configured with Sophos app for datacollection and putting it into custom index 'sophos' , we have same app on our Single SearchHead where it is used for Dashboard display.
Is this something causing issue? I do not think so as HF have the local password file which we used for API collection, SearchHead do not have any password file as it is used only to display the content - we have tweaked the searches of dashboard in a way that it search 'sophos' index.

0 Karma

Ultra Champion

No, that all sounds fine to me.

What do you get if you browse to https://yourforwarder:8089/services/storage/passwords
Do you have an entry for Sophos Central?

0 Karma

Path Finder

Strange but I do not see the Sophos Central entry in this? Do we know why is that happening, it was working all fine few days back.
How do we resolve this ? Should we again re-integrate the Sophos Integration on HF or should we have this only on SH? We are more comfortable data coming from HF , however we can do this integration directly on SH as well.
What steps we should perform to avoid this issue to re-occur again in future? any clue.

0 Karma

Ultra Champion

Sadly, that is what I expected.
It seems something is removing the credentials stored in splunk.
When you install the app and configure the application credentials it should create a passwords.conf file in the app/local folder - Is this still there?

I wonder if something is removing the password file, which is causing the issue.

From the sounds of it, there is nothing wrong with the way you have it configured.

0 Karma

Path Finder

Our Splunk environment is running over AWS VM' in distributed more. The Sophos collection is setup at Heavy Forwarder by installing same app, and we have installed same app in SearchHead for running dashboards. SH is not managed by DS, neither the HF.

HF have Sophos app for datacollection , putting in Index called as 'sophos' and SH have app for display of dashboards.

Regards,
SW

0 Karma