All Apps and Add-ons

Splunk Netwitness Query App not working

Engager

I have installed the Netwitness query app. Configured the credentials, tested the REST api call using CURL and am still receiving the below errors when enabling the app on my search head. Any thoughts or inputs on this issue?

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitnessquery/bin/nwsdkquery.py" 2017-Feb-28 18:58:25 - ERROR: Couldn't read authentication details PassAuth or from nwsdkquery.conf.
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netwitness
query/bin/nwsdk_query.py" No handlers could be found for logger "splunk.rest.format"

Here is what I get when running the python script in the CLI.

python nwsdkquery.py
Traceback (most recent call last):
File "nwsdk
query.py", line 308, in
from splunk.clilib.clicommon import getMergedConf
ImportError: No module named splunk.clilib.cli
common

0 Karma
1 Solution

Path Finder

Hi All,

It turns out this is related to the use of single sign-on and PassAuth, if you are using single sign-on for now the only option is to configure your NetWitness credentials in the configuration file.

I do see the irony in it but unfortunately I'm not sure if/how I will be able to address it. Maybe someone from Splunk can pitch in here with what would be the solution in these cases.

Thank you,

Rui

View solution in original post

0 Karma

Path Finder

Hi All,

It turns out this is related to the use of single sign-on and PassAuth, if you are using single sign-on for now the only option is to configure your NetWitness credentials in the configuration file.

I do see the irony in it but unfortunately I'm not sure if/how I will be able to address it. Maybe someone from Splunk can pitch in here with what would be the solution in these cases.

Thank you,

Rui

View solution in original post

0 Karma

Engager

Thanks again for your assistance with troubleshooting this!

0 Karma

Path Finder

Hi,

That is now a different issue, it seems like the URL for the REST API the script should connect to is missing from the configuration file. The library error is now no longer an issue.

The TOPLEVELURL should look something like http(s)://IPOFBrokerorConcentrator:Port/

Hope this helps!

Thank you,

Rui

0 Karma

Engager

Hm, I am a bit confused as I have input the toplevelurl in /local/nwsdk_query.conf. I am able to curl the URL with no issues.

[rest]

URL for RSA Security Analytics Concentrator/Broker REST interface, including username and password

On older versions the REST API is not enabled by default please see RSA Security Analytics support portal for instructions on how to enable it

toplevelurl=http://10.0.0.0:50103/
username=admin
password=netwitness

File containing the last sessionid processed, to avoid generating duplicates

lastmidfile=/opt/splunk/etc/apps/netwitnessquery/local/lastmid.query

Query to execute

Currently no checks are performed for correct query syntax

Make sure the select part should either be 'select *' or at least include time and sessionid meta keys

query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80

query=select * where alert exists

query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where risk.info='http direct to ip request'

-- Advanced Configuration Settings --

Maximum number of meta to pull

max_meta=2500

Sleep time in seconds between main loop queries (defaults to 5 seconds if not defined)

sleep=5

Include "No data to process" messages in STDERR - Customer Feature - Default is True

verbose=True

0 Karma

Path Finder

I'm wondering if there's a permissions issue or a problem with the filename... that is causing the access to it to fail. But it's even stranger as it should at least read the one in the default directory...

The library being used is Splunk's default library to process configuration files that would merge default and local files with the same name.

My email is the code if you prefer to reach out to me directly with file details and directory listings or other more sensitive information, please feel free to use it.

Thank you,

Rui

0 Karma

Engager

Hi Rui,

I ran the script and received the below error. I also tried while hardcoding the credentials in the script with no luck.

./splunk cmd python /opt/splunk/etc/apps/netwitnessquery/bin/nwsdkquery.py
2017-Mar-02 01:19:01 - ERROR: Couldn't read TOPLEVELURL from nwsdk_query.conf.

0 Karma

Path Finder

Are you running it with ./splunk cmd python script_path ? Sorry markup messed my first reply.

That library is exclusive to Splunk's python distribution. Could it be that the script is running with the system python distribution instead of Splunk's too?

Alternatively, just try with the credentials on the script that should always work, although that library is still required to read the configuration file.

Hope this helps!

Regards,

Rui

0 Karma