All Apps and Add-ons

Why does the Splunk Security Essentials app has missing pictures, broken checks, etc?

mlevsh
Builder

We have Splunk Security Essentials 2.1.0 installed on our Development Splunk search head v. 7.0.1
We've recently noticed that It stopped displaying pictures, doing checks are not working, etc .
It started around the time it was updated to v. 2.0.0
We reinstalled the app - the same issue.
At the same time, it works ok on other standalone search head (which cannot be used).
We need SSE to be available on our the server where it has issues.

Any advice where to look first?

1 Solution

David
Splunk Employee
Splunk Employee

Update 10/7/2019

There have been numerous bug fixes in SSE 2.4 and 2.5 to attempt to work around Issues Two and Three below. Those should not pop up anymore (though if you think they impact you, please reach out!).

Number one is an underlying issue in Splunk Enterprise, though we also attempt to work around this in SSE. If you have admin rights, we will automatically issue a _bump when you browse to the app after an upgrade. This is a bit hacky, so you can always issue a _bump directly as detailed below.


We've seen three causes for this. If none of those scenarios seem to fit the bill for your environment, let me know and we can set up a webex to go through it.

Number One: Most Likely
The most common culprit for this is a core bug with refreshing static assets. To get around this, run a _bump by browsing to http://yoursplunk:8000/en-US/_bump and click the button.

Number Two: Less Likely
Another environment was using an SSL terminating proxy, but not rewriting http to https on 302 redirects. The root cause here is that Splunk Security Essentials makes no assumption for what language you use in your environment, and makes requests to /static/app/Splunk_Security_Essentials/... for images, javascript, css, json files, etc. Normally Splunk will then provide a 302 redirect to /en-US/static/app/Splunk_Security_Essentials/... adding the language code on the front (obviously this will be whatever language the user's browser uses, not necessarily en-US). If your SSL load balancer automatically re-writes normal requests from HTTP to HTTPS for you, but doesn't re-write 302 redirects, then all of a sudden your browser will be trying to request an HTTP page and the load balancer won't know what it's talking about.

Number Three: Even Less Likely
Like number two, Splunk automatically prepends a language to the URL of all requests via 302 redirect. If I request assets like /static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png, Splunk will automatically 302 redirect the session to /en-US/static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png (presuming that I am using a browser configured for US English).

The load balancer this customer was using was happy handling the redirect if someone went to just the root page (e.g., https://splunk.mycompany.com/) but if they gave a URL of https://splunk.mycompany.com/static/app/Splunk_Security_Essentials/images/general_images/nobookmark...., the load balancer would return a 404 instead of a 302 redirect to the correct language: https://splunk.mycompany.com/en-US/static/app/Splunk_Security_Essentials/images/general_images/noboo...

Not knowing all the ins and outs of every customer's load balancer configs, there could be many different solutions. The easiest two, though, are likely either of:
- forward all requests to Splunk so that Splunk can provide the redirect
- build a translation rule for /static to /en-US/static so that the load balancer will know not to return a 404.

View solution in original post

realsplunk
Motivator

"SSE-313 Splunk Security Essentials 3.3.3 not loading images (png files) behind Apache haproxy load balanced servers" logged.

https://wiki.splunk.com/Community:SplunkBehindAProxy

# catch all static asset requests
	RewriteRule ^/(static.*) /mysplunk/$1 [P]
0 Karma

realsplunk
Motivator

This solved on apache lb:

RewriteRule ^/(static.*) /mysplunkendpoint/$1 [P]

https://wiki.splunk.com/Community:SplunkBehindAProxy

0 Karma

David
Splunk Employee
Splunk Employee

Update 10/7/2019

There have been numerous bug fixes in SSE 2.4 and 2.5 to attempt to work around Issues Two and Three below. Those should not pop up anymore (though if you think they impact you, please reach out!).

Number one is an underlying issue in Splunk Enterprise, though we also attempt to work around this in SSE. If you have admin rights, we will automatically issue a _bump when you browse to the app after an upgrade. This is a bit hacky, so you can always issue a _bump directly as detailed below.


We've seen three causes for this. If none of those scenarios seem to fit the bill for your environment, let me know and we can set up a webex to go through it.

Number One: Most Likely
The most common culprit for this is a core bug with refreshing static assets. To get around this, run a _bump by browsing to http://yoursplunk:8000/en-US/_bump and click the button.

Number Two: Less Likely
Another environment was using an SSL terminating proxy, but not rewriting http to https on 302 redirects. The root cause here is that Splunk Security Essentials makes no assumption for what language you use in your environment, and makes requests to /static/app/Splunk_Security_Essentials/... for images, javascript, css, json files, etc. Normally Splunk will then provide a 302 redirect to /en-US/static/app/Splunk_Security_Essentials/... adding the language code on the front (obviously this will be whatever language the user's browser uses, not necessarily en-US). If your SSL load balancer automatically re-writes normal requests from HTTP to HTTPS for you, but doesn't re-write 302 redirects, then all of a sudden your browser will be trying to request an HTTP page and the load balancer won't know what it's talking about.

Number Three: Even Less Likely
Like number two, Splunk automatically prepends a language to the URL of all requests via 302 redirect. If I request assets like /static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png, Splunk will automatically 302 redirect the session to /en-US/static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png (presuming that I am using a browser configured for US English).

The load balancer this customer was using was happy handling the redirect if someone went to just the root page (e.g., https://splunk.mycompany.com/) but if they gave a URL of https://splunk.mycompany.com/static/app/Splunk_Security_Essentials/images/general_images/nobookmark...., the load balancer would return a 404 instead of a 302 redirect to the correct language: https://splunk.mycompany.com/en-US/static/app/Splunk_Security_Essentials/images/general_images/noboo...

Not knowing all the ins and outs of every customer's load balancer configs, there could be many different solutions. The easiest two, though, are likely either of:
- forward all requests to Splunk so that Splunk can provide the redirect
- build a translation rule for /static to /en-US/static so that the load balancer will know not to return a 404.

mlevsh
Builder

@David Splunk ,
sorry for a delay.
Neither of those scenarios are the case, can we setup up a webex to go through it as you suggested?

0 Karma

usmsplunk
Engager

did this get resolved?
any info on how you fixed it?

0 Karma

mlevsh
Builder

@usmsplunk, sorry for the delay. Yes, we solved it with help of @David Veuve and with help of our Web Hosting admin.

In our case , we are using apache web server on search heads, so we updated /etc/httpd/conf.d/splunk.conf as root on our search head server
with the following entries:
….

ProxyPass /static https://ourserver.company.com:8443/static
ProxyPass /static/app https://ourserver.company.com:8443/static/app
ProxyPassReverse /static https://ourserver.company.com:8443/static
ProxyPassReverse /static/app https://ouserver.company.com:8443/static/app
….

And restarted apache: service httpd restart

0 Karma

GDustin
Path Finder

..._bump worked for me so far 7.0.3 and 2.2.0

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...