All Apps and Add-ons

TA-SymantecWebSecurityService not working properly scwss-poll

nikatsam
Explorer

WSS input is unresponsive.

A) getting socket errors when connnecting to localhost scwss-poll 

B) submitting input XML form with input name/credentials to API - not working - throwing error from splunkd as unresponsive.


 

 

Labels (3)
0 Karma
1 Solution

nikatsam
Explorer

in the 2.0.0 version of the TA there is a Readme folder that explains the input.conf stanza. 
also keep in mind you need to hardcode the index in inputs.conf

nikatsam_0-1622102594333.png

in the README folder the inputs.conf.spec shows all parameters that can be configured in inputs.conf

[scwss-poll://<name>]

apiusername = <value>
*Cloud-driven Web Security Service API Username

apikey = <value>
*Cloud-driven Web Security Service API Key

start_time = <value>
*Data-collection start-time

* HTTPS proxy server address
https_proxy = <value>

* HTTPS proxy server port
https_proxy_port = <value>

* HTTPS proxy server username
https_proxy_username = <value>

* HTTPS proxy server password
https_proxy_password = <value>

python.version = <value>


the default or LOCAL inputs.conf contains:
*****  please note index needs hardcoded in inputs.conf as index="wss"   or logs end up in main****

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss

sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole



So what would a Complete stanza look like?
i.e. hardcoded to /TA-SymantecWebSecurityService/default/inputs.conf

[scwss-poll://<name>]

interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3

apiusername = <value>
*Cloud-driven Web Security Service API Username

apikey = <value>
*Cloud-driven Web Security Service API Key

start_time = <value>
*Data-collection start-time

* HTTPS proxy server address
https_proxy = <value>

* HTTPS proxy server port
https_proxy_port = <value>

* HTTPS proxy server username
https_proxy_username = <value>

* HTTPS proxy server password
https_proxy_password = <value>

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss

sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

View solution in original post

0 Karma

nikatsam
Explorer

for problem A) the app is looking for admin user so in a cloud environment make sure to ask support to validate permissions. 

i.e. allow sc_admin to write to the app.

0 Karma

nikatsam
Explorer

on an additional note, 

modifying in  $SPLUNKDIR/etc/apps/TA-SymantecWebSecurityService/bin
logger_manager.py

logfile = make_splunkhome_path(["var", "log", "scwss",
"%s.log" % log_name])
logdir = os.path.dirname(logfile)


to splunk will allow you to ingest the scwss-poll.log generated by the scwss-poll.py script in _internal 
as the current set up may fail to pull the log file unless you add a new file monitor on the scwss dir.




0 Karma

nikatsam
Explorer

in the 2.0.0 version of the TA there is a Readme folder that explains the input.conf stanza. 
also keep in mind you need to hardcode the index in inputs.conf

nikatsam_0-1622102594333.png

in the README folder the inputs.conf.spec shows all parameters that can be configured in inputs.conf

[scwss-poll://<name>]

apiusername = <value>
*Cloud-driven Web Security Service API Username

apikey = <value>
*Cloud-driven Web Security Service API Key

start_time = <value>
*Data-collection start-time

* HTTPS proxy server address
https_proxy = <value>

* HTTPS proxy server port
https_proxy_port = <value>

* HTTPS proxy server username
https_proxy_username = <value>

* HTTPS proxy server password
https_proxy_password = <value>

python.version = <value>


the default or LOCAL inputs.conf contains:
*****  please note index needs hardcoded in inputs.conf as index="wss"   or logs end up in main****

[scwss-poll]
interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss

sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole



So what would a Complete stanza look like?
i.e. hardcoded to /TA-SymantecWebSecurityService/default/inputs.conf

[scwss-poll://<name>]

interval = 3600
sourcetype = symantec:websecurityservice:scwss-poll
python.version = python3

apiusername = <value>
*Cloud-driven Web Security Service API Username

apikey = <value>
*Cloud-driven Web Security Service API Key

start_time = <value>
*Data-collection start-time

* HTTPS proxy server address
https_proxy = <value>

* HTTPS proxy server port
https_proxy_port = <value>

* HTTPS proxy server username
https_proxy_username = <value>

* HTTPS proxy server password
https_proxy_password = <value>

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
index=wss

sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!