All Apps and Add-ons

Unable to install Qualys technology add-on (TA) 1.1.0

d12harshal
Path Finder

Hi All,

Unable to install TA-Qualyscloudplatform add-on HF, due to following errors. HF already contains Qualys (TA) v1.0.1, so before installing new add-on removed earlier add-on with v1.0.1 and tried to install new TA-Qualyscloudplatform v1.1.0 (TA) as the vendor has been changed.
Username, and password are verified, and having access to Qualys API also, but still below error messages are shown while installing.
Does anyone came across with similar situation?

06-22-2017 06:49:55.051 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" api_user, api_password = qualysModule.splunkpopulator.utils.getCredentials(config['session_key'])

06-22-2017 06:49:55.051 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/utils.py", line 175, in getCredentials

06-22-2017 06:49:55.051 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" raise Exception("Could not get %s credentials from Splunk. Error: %s" % (myapp, str(e)))

06-22-2017 06:49:55.051 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Exception: Could not get TA-QualysCloudPlatform credentials from Splunk. Error: 'str' object has no attribute 'os_startIndex'

Thanks in advance.

0 Karma
1 Solution

d12harshal
Path Finder

Issue has been solved. It's due to corrupted password in SA-ldapsearch. It seems to be a bug with Splunk SA-ldapsearch add-on.

By deleting passwords from SA-ldapsearch and adding again fixed the issue.

Following link can be used to identify corrupted passwords:
https://localhost:8089/servicesNS/nobody/-/storage/passwords?output_mode=json&count=-1

View solution in original post

0 Karma

d12harshal
Path Finder

Issue has been solved. It's due to corrupted password in SA-ldapsearch. It seems to be a bug with Splunk SA-ldapsearch add-on.

By deleting passwords from SA-ldapsearch and adding again fixed the issue.

Following link can be used to identify corrupted passwords:
https://localhost:8089/servicesNS/nobody/-/storage/passwords?output_mode=json&count=-1

View solution in original post

0 Karma

nit123
Path Finder

Seems that there are some issues with the existing credentials of your app and conflicting with the newer version.

  1. Firstly, It is advised to remove the earlier version of app prior to install of new app to be rest assured of no conflicts

  2. Check TA's passwords.conf file if it has more than 1 set of credentials. TA is NOT designed to work with multiple user accounts, so there should be only one record of API user credentials always. Password.conf is located TA_DIR/local/passwords.conf

  3. Splunk's getEntities() returns all the credentials which are visible to your app. So you need to check the app name in ACL record to make sure we are seeing at the record in our own passwords.conf and not from any other app whose credentials are visible to us). So add a condition which checks ACL appname with your app and returns credentials only if it matches.

Code changes in getCredentials function in utils.py are as following

Remove this line -> return c['username'], c['clear_password'] and update the loop with following
if c['eai:acl']['app'] == myapp:
qlogger.info("getCredentials returning these credentials: username:%s password: eai:acl->app:%s" % (c['username'], c['eai:acl']['app']))
return c['username'], c['clear_password']

Hope this solves your problem. If not, request you to provide more details as following

a. Version of app
b. Is password.conf contain more than 1 set of records ?

0 Karma

d12harshal
Path Finder

Followed the steps you mentioned above but still unable to configure the add-on, below are the error messages please check.

Could not get TA-QualysCloudPlatform credentials from Splunk. Cannot continue. Error: 'str' object has no attribute 'os_startIndex'
07-13-2017 05:33:26.300 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py
127.0.0.1 - splunk-system-user [13/Jul/2017:05:33:26.504 -0500] "GET /servicesNS/nobody/TA-QualysCloudPlatform/admin/passwords HTTP/1.0" 200 25993 - - - 2ms
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" No handlers could be found for logger "splunk.rest.format"
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Traceback (most recent call last):
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 280, in
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" main()
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 273, in main
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" run()
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py", line 135, in run
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" api_user, api_password = qualysModule.splunkpopulator.utils.getCredentials(config['session_key'])
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" File "/opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualysModule/splunkpopulator/utils.py", line 175, in getCredentials
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" raise Exception("Could not get %s credentials from Splunk. Error: %s" % (myapp, str(e)))
07-13-2017 05:33:26.509 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py" Exception: Could not get TA-QualysCloudPlatform credentials from Splunk. Error: 'str' object has no attribute 'os_startIndex'
07-13-2017 05:33:26.635 -0500 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py

Qualys add-on version: 1.1.0
Password contains only 1 set of record.

I am able to install Qualys add-on successfully in Splunk development environment, but unable to configure it in Splunk production environment. Removed earlier version of add-on and tried to install new version even on different HF, but still above errors are occurred.

0 Karma

nit123
Path Finder

You logs show a message as 'Could not get TA-QualysCloudPlatform credentials from Splunk. '
Did you face any errors while saving credentials from setup page ?
Do you face authentication error in TA while making api calls to Qualys Server to pull input specific data ?

0 Karma

d12harshal
Path Finder

While saving the password it's not showing any error messages. Password saving was succesfull.

Executed below comamnd to check connectivity and it collected results in /tmp folder in the add-on.
Command: /opt/splunk/bin/splunk cmd python ./bin/run.py --log-host-detections --api-server= --username= --password= --from-date=2017-07-018T00:00:00Z --proxy=

Also tried to reinstall the add-on and relaod the password file, but no luck.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

We noticed a few issues with the Qualys 1.1 version and submitted a case with Qualys support. Suggest you raise a case with them

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I assume you are following the 'qualys-TA-for-splunk-enterprise-quick-start.pdf' documentation in https://community.qualys.com/docs/DOC-4876 page and successfully installed and configured version 1.1.0 in dev instance but getting errors in production install on a HF. I assume the splunk and OS versions (linux) are same in both dev and prod. Can you try the following in the prod HF?
1. install the add-on. Don't configure yet.
2. restart splunk.
3. confgure the add-on and provide credentials etc..
4. restart the splunk.
5. check the logs in 'splunkd' and ta-Qua* and the index to which you are getting/pushing the data.

Let me know how it goes.

0 Karma

d12harshal
Path Finder

Yes, followed the same procedure are mentioned in the Qualys document.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

The above indicates its unable to get the credentials from the 'passwords.conf' file OR possible corruption in the 'uninstall process'.

1.A clean way would be to stop the Splunk process on the heavy forwarder. Ensure no other process is running under 'splunk' user ( i.e. the user used to run the splunkd).

  1. rm the TA-QualysCloudPlatform directory from /opt/splunk/etc/apps folder.

  2. Re-install the new version required from GUI or placing the tar file under etc/apps and untar and restart/

  3. re-config the add-on from GUI and restart splunk.

Hope this helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!