Re: Stopped receiving logs from Okta. Using "Okta...

ethicalmk · ‎09-09-2021

Tried opening the "Okta Identity Cloud Add-on for Splunk" from UI to check the configuration and settings, but it keeps showing that it's loading, but it doesn't actually load. I checked the "ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log" file from CLI and here is what it returned.

>>>>>tail -f ta_okta_identity_cloud_for_splunk_okta_identity_cloud.log<<<<<

File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:741)

2021-09-09 11:55:38,725 INFO pid=25100 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1

2021-09-09 11:55:38,733 ERROR pid=25100 tid=MainThread file=splunk_rest_client.py:request:144 | Failed to issue http request=GET to url=https://127.0.0.1:8089/servicesNS/nobody/TA-Okta_Identity_Cloud_for_Splunk/TA_Okta_Identity_Cloud_fo..., error=Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/splunk_rest_client.py", line 140, in request
verify=verify, proxies=proxies, cert=cert, **kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-Okta_Identity_Cloud_for_Splunk/bin/ta_okta_identity_cloud_for_splunk/solnlib/packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:741)

Roy_9 · ‎12-08-2021

Hello @ethicalmk

You could possible try two things,

Please check the firewall rules open between Okta server and Splunk.

Also the Service account which you are creating in the addon has necessary privileges to access Okta logs.

Hope this info helps

tro · ‎12-08-2021

Hey,

is it possible that you are running this addon on server with old OS or Splunk software?

Try update your OS and/or Splunk to solve this problem.

Stopped receiving logs from Okta. Using "Okta Identity Cloud Add-on for Splunk".

troubleshooting

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms