Archive
Highlighted

OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

I am getting the following errors. I am guessing its because somehow its not able to retrieve the auth keys in $HOME/.splunk ... the documentation says diddlysquat about this. Anyone figured this out?

DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/splunkopseclea/bin/fw1-loggrabber.conf
DEBUG: function logging
initenv
DEBUG: function open
screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function getfw1logfiles
splunk internal call command: $SPLUNKHOME/bin/splunk _internal call /servicesNS/nobody/splunkopseclea/opsec/opsecconf/CP
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk
opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>


call not properly authenticated

splunkd request failed, 401:
$SPLUNKHOME/bin/splunk _internal call /servicesNS/nobody/splunkopseclea/opsec/opsecconf/CP
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk
opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>


call not properly authenticated

ERROR: unable to get splunk lea config arguments
DEBUG: function exitloggrabber
DEBUG: function free
lfieldarrays
DEBUG: function free
afieldarrays
DEBUG: function free
lfieldarrays
DEBUG: function free
afield_arrays
[root@sbidcsplfwd-slog01 bin]#

Tags (1)
0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

How are you testing this? The command needs to be able to get data from Splunk's API and expects to be called by Splunk which will pass in credentials. This doc runs through the options for enabling debug logging: http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Enabledebugging

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

Further to my comment - to run this manually you need to:

SPLUNK_TOK=$auth_key
export SPLUNK_TOK

And to get the auth key:

curl -k -u admin:pass https://localhost:8089/services/auth/login   \
 -d username=admin -d password=pass

View solution in original post

Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

This is correct, we assume that we are running as a scripted input in the Splunk runtime and that passAuth is providing us a valid Splunk session key.

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

And what if splunkd is restarted?

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

I get the same error when it runs as a scripted input aswell

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

If splunkd is restarted, a new session key will be provided by passAuth. The problem is that your $HOME directory is not writable. Without a writable $HOME, splunk cannot store any session information on the command line.

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

Would this be the same when running inside Splunk? What directory would that be then? I suppose that would be under the user running splunk. So /home/splunk/.splunk would be $HOME....

Actually I am running as root and I am able to get credentials written to $HOME/.splunk when I manually run the curl command.

0 Karma
Highlighted

Re: OPSEC LEA 2.0 Issue with auth keys

Splunk Employee
Splunk Employee

Actually I get nothing in $HOME when I run it with curl, but only if I do "splunk login".

Is it sufficient to leave passAuth = admin ?

0 Karma