All Apps and Add-ons

Wazuh: Why am I gettting these error messages?

Klimdy
Explorer

Hi, i have some problems with TA, i install TA like in instruction, but in splunkd.log i see errors for all wazuh_api_*

Version Splunk 7.0.0 standalone

11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" Traceback (most recent call last):
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/modinput_wrapper/base_modinput.py", line 113, in stream_events
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" self.parse_input_args(input_definition)
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/modinput_wrapper/base_modinput.py", line 152, in parse_input_args
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" self.parse_input_args_from_global_config(inputs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/modinput_wrapper/base_modinput.py", line 171, in _parse_input_args_from_global_config
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" ucc_inputs = global_config.inputs.load(input_type=self.input_type)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/global_config/configuration.py", line 270, in load
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" input_item['entity']
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/global_config/configuration.py", line 175, in _load_endpoint
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" **query
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/packages/splunklib/binding.py", line 287, in wrapper
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" return request_fun(self, *args, **kwargs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/packages/splunklib/binding.py", line 69, in new_f
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" val = f(*args, **kwargs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/packages/splunklib/binding.py", line 665, in get
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" response = self.http.get(path, self._auth_headers, **query)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/packages/splunklib/binding.py", line 1160, in get
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" return self.request(url, { 'method': "GET", 'headers': headers })
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/packages/splunklib/binding.py", line 1221, in request
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" raise HTTPError(response)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh_api_info_basic.py" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"\" from python handler: \"REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py\", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py\", line 348, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py\", line 382, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/credentials.py\", line 286, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/utils.py\", line 154, in wrapper\n return func(*args, **kwargs)\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/credentials.py\", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\". See splunkd.log for more details."}]}
11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:
REST_CREDENTIAL_#TA-wazuh-api-connector#data/inputs/wazuh_api_agents:api_serversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_agents:api_serversplunk_cred_sep2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_decoders:api_serversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_decoders:api_serversplunk_cred_sep2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_info_basic:api_serversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_info_basic:api_serversplunk_cred_sep2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_rules:api_serversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_rules:api_serversplunk_cred_sep2: is not utf8, skipping

11-08-2017 12:55:41.642 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunk_aoblib/rest_migration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/admin_external.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 120, in wrapper\n raise RestError(500, traceback.format_exc())\nRestError: REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 348, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 382, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/credentials.py", line 286, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\n
11-08-2017 12:55:41.642 +0000 ERROR AdminManagerExternal - Unexpected error "" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, *args, **kwargs):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 348, in _format_all_response\n self._encrypt_raw_credentials(cont['entry'])\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/handler.py", line 382, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/splunktaucclib/rest_handler/credentials.py", line 286, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/utils.py", line 154, in wrapper\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/ta_wazuh_api_connector/solnlib/credentials.py", line 272, in _get_all_passwords\n clear_password += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.

0 Karma
1 Solution

Klimdy
Explorer

So, after many manipulations, i can explain why i hade this problem) For somebody who want to install this addon:
after installation addon, you have file passwords.conf in directory of addon, the credentials in this file not generation by script and you need delete all text and paste:

username = your_splunk_login_admin
password = pass_for_admin

all scripts normally work and you can see wazuh_api index and in this file you can see your credentials))) and the last, after that you can delete username and password ))))

enjoy)))

View solution in original post

0 Karma

Klimdy
Explorer

So, after many manipulations, i can explain why i hade this problem) For somebody who want to install this addon:
after installation addon, you have file passwords.conf in directory of addon, the credentials in this file not generation by script and you need delete all text and paste:

username = your_splunk_login_admin
password = pass_for_admin

all scripts normally work and you can see wazuh_api index and in this file you can see your credentials))) and the last, after that you can delete username and password ))))

enjoy)))

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@kimdy, if your problem is resolved, please accept the answer to help future users.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Richfez
SplunkTrust
SplunkTrust

Can you please retry/review/redo the credentials section of the ... configuration file? Those errors seem to indicate some problem with your password.

"ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuh_api_agents:api_serversplunk_cred_sep1: is not utf8, skipping"

So, how to fix it I don't know - I'm hoping just redoing that section and retrying that from the original instructions will make it work right.

If it doesn't, please be sure to paste in any new errors using the little "code" button in the editor.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...