All Apps and Add-ons

Splice Error: ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

I have installed Splice and MongoDB on a local search head. I can see Splice connecting to the mongod instance, however it closes the connection almost immediately. The only information I am receiving in Splunk is:

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Splice/bin/taxii.py" ERRORlocal

And the logs from Mongo show the following for a connection attempt (mongod -vv):

2015-03-24T12:58:25.088-0400 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:41920 #1 (1 connection now open)
2015-03-24T12:58:25.089-0400 D COMMAND  [conn1] run command admin.$cmd { ismaster: 1 }
2015-03-24T12:58:25.089-0400 I COMMAND  [conn1] command admin.$cmd command: isMaster { ismaster: 1 } keyUpdates:0 writeConflicts:0 numYields:0 reslen:178 locks:{} 0ms
2015-03-24T12:58:25.108-0400 D NETWORK  [conn1] SocketException: remote: 127.0.0.1:41920 error: 9001 socket exception [CLOSED] server [127.0.0.1:41920]
2015-03-24T12:58:25.108-0400 I NETWORK  [conn1] end connection 127.0.0.1:41920 (0 connections now open)

I have verified the search head is able to connect outbound to the internet for updates, as well. Is there any guidance or suggestions on how to address this issue?

0 Karma

Splunk Employee
Splunk Employee

The problem is in a third party library that Splice uses (pzlocal). The problem is related to CentOS 7 which had removed one particular file the library was relying on. My testing indicates that Mongo 2.4, 2.6 and 3.0 are working correctly with Splice.

Workaround:
Create a file /etc/sysconfig/clock which contains the appropriate timezone like "Europe/Paris"

# cat /etc/sysconfig/clock
ZONE="Europe/Paris"
#

The bug is known by the library developers: https://github.com/regebro/tzlocal/issues/19

Path Finder

This solved the issue for me

0 Karma

Splunk Employee
Splunk Employee

It might be linked to an improper IOC definition. You can try to add a local directory monitor (Data Inputs > IOC - Mount Point) and add an IOC in there. If there is no issues with the mongo configuration the IOC should be added to the mongo (so the issue is related to what's carried over the taxii feed). If you do have an IOC file that make SPLICE fails, please send it to me via email.

Just tested on MongoDB 2.6.9 with a local mount - worked just fine (full defaults with Splice config). Used Flame malware OpenIOC (http://alienvault-labs-garage.googlecode.com/files/af2e8c80-13db-4a57-99ac-460ccd192333.ioc) and Zeus OpenIOC (http://openioc.org/iocs/6d2a1b03-b216-4cd8-9a9e-8827af6ebf93.ioc) to test.

Appears this might be a config problem related to hailataxii.com data sources. Will look at the configurations for those data sources again.

EDIT: Well, egg on my face. Splunk search head is making no DNS queries or outbound connections to hailataxii.com. Will run this down on the system side with the host admin.

0 Karma

Contributor

still no joy - will try my Avalanche feed

0 Karma

Splunk Employee
Splunk Employee

I've done my testing with Mongo 2.4 on a CentOS 6.x system but it doesn't means that other versions are not compatible, they simply are not tested.

0 Karma

Contributor

Thanks for the response - what version of MongoDB is compatible ?

0 Karma

Splunk Employee
Splunk Employee

Have you tried to use one of the provided feeds from hailataxii.com? Or what feed do you use?
Have you checked the rights on the Mongo side if you restricted it (ie: does the provided user can create a database or a collections)?

0 Karma

We are using the default haliataxii feeds at this time.

The user we are using to connect to the database is an admin user in the "splice" database. I've logged in and verified the ability to use the database and create collections with the user.

We are using Mongo 3.0.1 right now, but I can't find any documentation saying if that is supported by Splice. We may attempt a downgrade to 2.6 - I know the default authentication method has changed from MONGODB-CR to SCRAM-SHA-1 and I don't think the version of pymongo that ships with Splice supports SCRAM-SHA-1. For what it's worth, I have tried forcing MONGODB-CR in the connection URL, but it has no effect.

0 Karma

Contributor

I am having the same issue - did you resolve it ?

0 Karma