All Apps and Add-ons

Why is PassAuth Failing on Sophos Central app?

samhodgson
Path Finder

Hi, im having some problems getting a sessionkey when using the sophos endpoint app. Running the script manually using splunk cmd python bin/sophos_events.py and im jjust getting:

Did not receive a session key from splunkd. Please enable passAuth in inputs.conf for this script

My local/inputs.conf looks like this:

[script://opt/splunk/etc/apps/sophos_central/bin/sophos_events.py]
start_by_shell = false
disabled = false
interval = 300
sourcetype = sophos:central:event
passAuth   = splunk-system-user
index = sophos

I have also added passAuth = splunk-system-user to system/local/inputs.conf and added a commands.conf to the root folder of the app with:

[script://$SPLUNK_HOME/etc/apps/sophos_central/bin/sophos_events.py]
passauth = true
enableheaI'mr = true

I'm running this on an indexer in a non-clustered distributed environment. Nothing is being logged in var/log/splunk/python.log. The script actually just hangs when I run it until I hit enter and then I get the error. Running Splunk and executing the script as root. Really starting to do my head in if anyone can suggest anything it would be greatly appreciated!

0 Karma
1 Solution

samhodgson
Path Finder

This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!

View solution in original post

0 Karma

samhodgson
Path Finder

This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...