Archive
Highlighted

Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Communicator

Hi all,
For some reason i have this error in splunkd.log and there are no logs being generated from other applications which have eventgen.conf and samples dir.

Did anyone now how to solve this problem.

I suspect that this error is due to permissions but i checked all the permissions and everything is fine.

Here is an more detailed example for the log:

DEBUG    MainProcess {'event': 'Using cached earliest time: 2019-09-15 16:06:20.961619'}
09-15-2019 16:07:20.970 +0300 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-09-15 16:07:20 eventgen        DEBUG    MainProcess {'event': "Flushing queue for sample 'nessus_singlehost.samples' with size 60"}

09-15-2019 16:27:24.664 +0300 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py" 2019-09-15 16:27:24 eventgen        DEBUG    MainProcess {'event': "Flushing queue for sample 'symantec_ep_scm_agent_act.samples' with size 2"}

Thanks in advanced !

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Splunk Employee
Splunk Employee

Could you share your eventgen.conf ?

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Communicator

Of course:

# Copyright (C) 2005-2015 Splunk Inc. All Rights Reserved.
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/apps/SA-Eventgen/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/SA-Eventgen/default
# into ../local and edit there.
#

## IMPORTANT! Do not specify any settings under a default stanza
## The layering system will not behave appropriately
## Use [global] instead
[default]

[global]
disabled = false
debug = false
verbosity = false
spoolDir = $SPLUNK_HOME/var/spool/splunk
spoolFile = <SAMPLE>
breaker = [^\r\n\s]+
mode = sample
sampletype = raw
interval = 60
delay = 0
timeMultiple = 1
count = -1
earliest = now
latest = now
randomizeEvents = false
outputMode = modinput
fileMaxBytes = 10485760
fileBackupFiles = 5
splunkPort = 8089
splunkMethod = https
index = main
source = eventgen
sourcetype = eventgen
host = 127.0.0.1
generator = default
rater = config
generatorWorkers = 1
outputWorkers = 1
timeField = _raw
threading = thread
profiler = false
maxIntervalsBeforeFlush = 3
maxQueueLength = 0
useOutputQueue = false
autotimestamps = [["\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}", "%Y-%m-%d %H:%M:%S"], ["\\d{1,2}\\/\\w{3}\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y %H:%M:%S:%f"], ["\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}", "%Y-%m-%dT%H:%M:%S.%f"], ["\\d{1,2}/\\w{3}/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y %H:%M:%S:%f"], ["\\d{1,2}/\\d{2}/\\d{2}\\s\\d{1,2}:\\d{2}:\\d{2}", "%m/%d/%y %H:%M:%S"], ["\\d{2}-\\d{2}-\\d{4} \\d{2}:\\d{2}:\\d{2}", "%m-%d-%Y %H:%M:%S"], ["\\w{3} \\w{3} +\\d{1,2} \\d{2}:\\d{2}:\\d{2}", "%a %b %d %H:%M:%S"], ["\\w{3} \\w{3} \\d{2} \\d{4} \\d{2}:\\d{2}:\\d{2}", "%a %b %d %Y %H:%M:%S"], ["^(\\w{3}\\s+\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})", "%b %d %H:%M:%S"], ["(\\w{3}\\s+\\d{1,2}\\s\\d{1,2}:\\d{1,2}:\\d{1,2})", "%b %d %H:%M:%S"], ["(\\w{3}\\s\\d{1,2}\\s\\d{1,4}\\s\\d{1,2}:\\d{1,2}:\\d{1,2})", "%b %d %Y %H:%M:%S"], ["\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}", "%Y-%m-%d %H:%M:%S.%f"], ["\\,\\d{2}\\/\\d{2}\\/\\d{2,4}\\s+\\d{2}:\\d{2}:\\d{2}\\s+[AaPp][Mm]\\,", ",%m/%d/%Y %I:%M:%S %p,"], ["^\\w{3}\\s+\\d{2}\\s+\\d{2}:\\d{2}:\\d{2}", "%b %d %H:%M:%S"], ["\\d{2}/\\d{2}/\\d{4} \\d{2}:\\d{2}:\\d{2}", "%m/%d/%Y %H:%M:%S"], ["^\\d{2}\\/\\d{2}\\/\\d{2,4}\\s+\\d{2}:\\d{2}:\\d{2}\\s+[AaPp][Mm]", "%m/%d/%Y %I:%M:%S %p"], ["\\d{2}\\/\\d{2}\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}", "%m-%d-%Y %H:%M:%S"], ["\\\"timestamp\\\":\\s\\\"(\\d+)", "%s"], ["\\d{2}\\/\\w+\\/\\d{4}\\s\\d{2}:\\d{2}:\\d{2}:\\d{3}", "%d-%b-%Y %H:%M:%S:%f"], ["\\\"created\\\":\\s(\\d+)", "%s"], ["\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}", "%Y-%m-%dT%H:%M:%S"], ["\\d{1,2}/\\w{3}/\\d{4}:\\d{2}:\\d{2}:\\d{2}:\\d{1,3}", "%d/%b/%Y:%H:%M:%S:%f"], ["\\d{1,2}/\\w{3}/\\d{4}:\\d{2}:\\d{2}:\\d{2}", "%d/%b/%Y:%H:%M:%S"]]
autotimestamp = false
httpeventWaitResponse = true
disableLoggingQueue = true

This is the default eventgen.conf of the eventgen app.

The symantec eventgen.conf is also the one shipped with the add on.

Thanks

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Splunk Employee
Splunk Employee

I mean the eventgen.conf in your symantec app.

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Communicator

It is a really long file, it is the default of the "SplunkTAsymantec-ep".

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Splunk Employee
Splunk Employee

Actually the error msg above is DEBUG msg. I could not see any ERROR from the log. I have checked with the eventgen.conf in Splunk_TA_symantec-ep. Seems every config is fine to generate the data. Could you change the time range in Splunk search and check the events?

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Splunk Employee
Splunk Employee

It seems by default all the stanzas in eventgen.conf in app Splunk_TA_symantec-ep are disabled. You should manually enable them. Change disabled = 1 to disabled = 0.

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Communicator

If you will look closely, there is "ERROR ExecProcessor".
There is disabled=1 for specific stanzas.
I did the same process on another machine without any further configurations and it worked fine.
In addition the problem is not just with symantec, but with every other app with eventget.conf

I just need to fix this in the other machine (it is not an option to replace it).

Thanks

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Splunk Employee
Splunk Employee

The ERROR ExecProcessor is misleading that we need to fix for Eventgen. But it is not error log actually.

0 Karma
Highlighted

Re: Eventgen - ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-Eventgen/bin/modinput_eventgen.py"

Communicator

So do you know what may be the reason that eventgen can't generate events from other apps files ?

On the other machine that works fine i don't get those logs.

0 Karma