All Apps and Add-ons

Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

christopherdick
Engager

I have installed Splice and MongoDB on a local search head. I can see Splice connecting to the mongod instance, however it closes the connection almost immediately. The only information I am receiving in Splunk is:

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

And the logs from Mongo show the following for a connection attempt (mongod -vv):

2015-03-24T12:58:25.088-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:41920 #1 (1 connection now open)
2015-03-24T12:58:25.089-0400 D COMMAND  [conn1] run command admin.$cmd { ismaster: 1 }
2015-03-24T12:58:25.089-0400 I COMMAND  [conn1] command admin.$cmd command: isMaster { ismaster: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:178 locks:{} 0ms
2015-03-24T12:58:25.108-0400 D NETWORK  [conn1] SocketException: remote: 127.0.0.1:41920 error: 9001 socket exception [CLOSED] server [127.0.0.1:41920]
2015-03-24T12:58:25.108-0400 I NETWORK  [conn1] end connection 127.0.0.1:41920 (0 connections now open)

I have verified the search head is able to connect outbound to the internet for updates, as well. Is there any guidance or suggestions on how to address this issue?

0 Karma

cleroux_splunk
Splunk Employee
Splunk Employee

The problem is in a third party library that Splice uses (pzlocal). The problem is related to CentOS 7 which had removed one particular file the library was relying on. My testing indicates that Mongo 2.4, 2.6 and 3.0 are working correctly with Splice.

Workaround:
Create a file /etc/sysconfig/clock which contains the appropriate timezone like "Europe/Paris"

# cat /etc/sysconfig/clock
ZONE="Europe/Paris"
#

The bug is known by the library developers: https://github.com/regebro/tzlocal/issues/19

borgy95
Path Finder

This solved the issue for me

0 Karma

cleroux_splunk
Splunk Employee
Splunk Employee

It might be linked to an improper IOC definition. You can try to add a local directory monitor (Data Inputs > IOC - Mount Point) and add an IOC in there. If there is no issues with the mongo configuration the IOC should be added to the mongo (so the issue is related to what's carried over the taxii feed). If you do have an IOC file that make SPLICE fails, please send it to me via email.

christopherdick
Engager

Just tested on MongoDB 2.6.9 with a local mount - worked just fine (full defaults with Splice config). Used Flame malware OpenIOC (http://alienvault-labs-garage.googlecode.com/files/af2e8c80-13db-4a57-99ac-460ccd192333.ioc) and Zeus OpenIOC (http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc) to test.

Appears this might be a config problem related to hailataxii.com data sources. Will look at the configurations for those data sources again.

EDIT: Well, egg on my face. Splunk search head is making no DNS queries or outbound connections to hailataxii.com. Will run this down on the system side with the host admin.

0 Karma

klaxdal
Contributor

still no joy - will try my Avalanche feed

0 Karma

cleroux_splunk
Splunk Employee
Splunk Employee

I've done my testing with Mongo 2.4 on a CentOS 6.x system but it doesn't means that other versions are not compatible, they simply are not tested.

0 Karma

klaxdal
Contributor

Thanks for the response - what version of MongoDB is compatible ?

0 Karma

cleroux_splunk
Splunk Employee
Splunk Employee

Have you tried to use one of the provided feeds from hailataxii.com? Or what feed do you use?
Have you checked the rights on the Mongo side if you restricted it (ie: does the provided user can create a database or a collections)?

0 Karma

christopherdick
Engager

We are using the default haliataxii feeds at this time.

The user we are using to connect to the database is an admin user in the "splice" database. I've logged in and verified the ability to use the database and create collections with the user.

We are using Mongo 3.0.1 right now, but I can't find any documentation saying if that is supported by Splice. We may attempt a downgrade to 2.6 - I know the default authentication method has changed from MONGODB-CR to SCRAM-SHA-1 and I don't think the version of pymongo that ships with Splice supports SCRAM-SHA-1. For what it's worth, I have tried forcing MONGODB-CR in the connection URL, but it has no effect.

0 Karma

klaxdal
Contributor

I am having the same issue - did you resolve it ?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...