All Apps and Add-ons
Highlighted

Wazuh: Why am I gettting these error messages?

Explorer

Hi, i have some problems with TA, i install TA like in instruction, but in splunkd.log i see errors for all wazuhapi*

Version Splunk 7.0.0 standalone

11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" Traceback (most recent call last):
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/modinputwrapper/basemodinput.py", line 113, in streamevents
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" self.parseinputargs(inputdefinition)
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/modinputwrapper/basemodinput.py", line 152, in parseinputargs
11-08-2017 12:55:40.905 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" self.parseinputargsfromglobalconfig(inputs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/modinputwrapper/basemodinput.py", line 171, in _parseinputargsfromglobalconfig
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" uccinputs = globalconfig.inputs.load(inputtype=self.inputtype)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/globalconfig/configuration.py", line 270, in load
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" inputitem['entity']
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/globalconfig/configuration.py", line 175, in _loadendpoint
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" **query
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/packages/splunklib/binding.py", line 287, in wrapper
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" return requestfun(self, args, *kwargs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/packages/splunklib/binding.py", line 69, in newf
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" val = f(args, *kwargs)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/packages/splunklib/binding.py", line 665, in get
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" response = self.http.get(path, self.authheaders, *query)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/packages/splunklib/binding.py", line 1160, in get
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" return self.request(url, { 'method': "GET", 'headers': headers })
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/packages/splunklib/binding.py", line 1221, in request
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuh
apiinfobasic.py" raise HTTPError(response)
11-08-2017 12:55:40.906 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-wazuh-api-connector/bin/wazuhapiinfobasic.py" HTTPError: HTTP 500 Internal Server Error -- {"messages":[{"type":"ERROR","text":"Unexpected error \"<class 'splunktaucclib.resthandler.error.RestError'>\" from python handler: \"REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py\", line 113, in wrapper\n for name, data, acl in meth(self, *args, *
kwargs):\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py\", line 348, in formatallresponse\n self.encryptrawcredentials(cont['entry'])\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py\", line 382, in encryptrawcredentials\n changelist = restcredentials.decryptall(data)\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/credentials.py\", line 286, in decryptall\n allpasswords = credentialmanager.getallpasswords()\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/utils.py\", line 154, in wrapper\n return func(args, *kwargs)\n File \"/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/credentials.py\", line 272, in getallpasswords\n clearpassword += fieldclear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\". See splunkd.log for more details."}]}
11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:
RESTCREDENTIAL_#TA-wazuh-api-connector#data/inputs/wazuhapiagents:apiserversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapiagents:apiserver``splunkcred_sep``2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapidecoders:apiserver``splunkcred_sep``1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapidecoders:apiserver``splunkcred_sep``2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapiinfobasic:apiserversplunk_cred_sep1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapiinfobasic:apiserversplunk_cred_sep2: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapirules:apiserver``splunkcred_sep``1: is not utf8, skipping

11-08-2017 12:55:41.617 +0000 ERROR PasswordHandler - Decrypted password from stanza=credential:REST_CREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapirules:apiserver``splunkcred_sep``2: is not utf8, skipping

11-08-2017 12:55:41.642 +0000 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 130, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 594, in execute\n if self.requestedAction == ACTIONLIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunkaoblib/restmigration.py", line 38, in handleList\n AdminExternalHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/adminexternal.py", line 40, in wrapper\n for entity in result:\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 120, in wrapper\n raise RestError(500, traceback.formatexc())\nRestError: REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, args, *kwargs):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 348, in formatallresponse\n self.encryptrawcredentials(cont['entry'])\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 382, in encryptrawcredentials\n changelist = restcredentials.decryptall(data)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/credentials.py", line 286, in decryptall\n allpasswords = credentialmanager.getallpasswords()\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/utils.py", line 154, in wrapper\n return func(args, *kwargs)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/credentials.py", line 272, in getallpasswords\n clearpassword += fieldclear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n\n
11-08-2017 12:55:41.642 +0000 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest
handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 113, in wrapper\n for name, data, acl in meth(self, args, *kwargs):\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 348, in formatallresponse\n self.encryptrawcredentials(cont['entry'])\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/handler.py", line 382, in encryptrawcredentials\n changelist = restcredentials.decryptall(data)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/splunktaucclib/resthandler/credentials.py", line 286, in decryptall\n allpasswords = credentialmanager.getallpasswords()\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/utils.py", line 154, in wrapper\n return func(args, *kwargs)\n File "/opt/splunk/etc/apps/TA-wazuh-api-connector/bin/tawazuhapiconnector/solnlib/credentials.py", line 272, in getallpasswords\n clearpassword += field_clear[index]\nTypeError: cannot concatenate 'str' and 'NoneType' objects\n". See splunkd.log for more details.

0 Karma
Highlighted

Re: Wazuh: Why am I gettting these error messages?

SplunkTrust
SplunkTrust

Can you please retry/review/redo the credentials section of the ... configuration file? Those errors seem to indicate some problem with your password.

"ERROR PasswordHandler - Decrypted password from stanza=credential:RESTCREDENTIAL#TA-wazuh-api-connector#data/inputs/wazuhapiagents:apiserversplunk_cred_sep1: is not utf8, skipping"

So, how to fix it I don't know - I'm hoping just redoing that section and retrying that from the original instructions will make it work right.

If it doesn't, please be sure to paste in any new errors using the little "code" button in the editor.

0 Karma
Highlighted

Re: Wazuh: Why am I gettting these error messages?

Explorer

So, after many manipulations, i can explain why i hade this problem) For somebody who want to install this addon:
after installation addon, you have file passwords.conf in directory of addon, the credentials in this file not generation by script and you need delete all text and paste:

username = yoursplunkloginadmin
password = pass
for_admin

all scripts normally work and you can see wazuh_api index and in this file you can see your credentials))) and the last, after that you can delete username and password ))))

enjoy)))

View solution in original post

0 Karma
Highlighted

Re: Wazuh: Why am I gettting these error messages?

SplunkTrust
SplunkTrust

@kimdy, if your problem is resolved, please accept the answer to help future users.

---
If this reply helps you, an upvote would be appreciated.
0 Karma