Archive

Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

New Member

I installed the Optiv Threat Intel app on a search head cluster, but data is not populating. Additionally, I added the optiv index to the peer indexers as well. However, I'm still not getting threat data. Index has only 1 event from running the troubleshoot link in the app and it has been several hours. Anyone else have issues with this app on a cluster? Did I miss something?

0 Karma
1 Solution

Communicator

jroark, would it be possible to post the latest script log file?
It would look something like this:

/opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What does the 1 event showing up on the Troubleshooting page say?

What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What is the 1 event on the troubleshoot screen?

What platform is this? Linux/Windows?

View solution in original post

Communicator

jroark, would it be possible to post the latest script log file?
It would look something like this:

/opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What does the 1 event showing up on the Troubleshooting page say?

What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What is the 1 event on the troubleshoot screen?

What platform is this? Linux/Windows?

View solution in original post

Path Finder

Did you have to create an index for the Optiv Threat Intel list?

0 Karma

Communicator

John,
I am showing a different inputs.conf in my 2.80 directory. This is what I have:

[monitor://$SPLUNK_HOME\var\log\splunk\optiv_*.log]
ignoreOlderThan=3d
crcSalt=<SOURCE>
index=optiv
sourcetype=optiv_threat_list
disabled=0

[script://./bin/starter_script.sh]
#[script://$SPLUNK_HOME/etc/apps/optiv_threat_intel/bin/starter_script.sh]
#8 hours
interval=28800
#interval=300
index=optiv
disabled=0

In your stanza listed above we're missing a key/value pair for crcSalt. Should we try blowing away the app and a clean reinstall with the latest version?

Also, what does the Troubleshooting section of the app show?

0 Karma

Communicator

index=optiv is created by the file default/indexes.conf
the index name can be adjusted there. if you do so make sure and change the optiv_index definition in macros.conf as well.

0 Karma

Path Finder

Index Optiv is there and my setup is the default /opt/splunk. I see the log files in /opt/splunk/var/log/splunk/optiv_*.log, howevere the input is not pulling the files into Splunk index optiv. I am running on a redhat server.
Here is my input.conf

[monitor:///opt/splunk/var/log/splunk/optiv_*.log]
ignoreOlderThan=3d
crcSalt=
index=optiv
sourcetype=optiv_threat_list
disabled=0

Any help would be apreciated, Thanks

0 Karma

New Member

After posting I looked at the troubleshooting log again and realized my install of splunk isn't on the standard /opt/splunk. Adding a symlink fixed the issue and threats started to populate. Error was on my end.

0 Karma

New Member

Can you please provide the command or commands you used to resolve this issue. My Splunk installation is also not in the standard /opt/splunk. Thank you.

0 Karma

Communicator

I can't answer how to set up a symlink, but I did to a find in files in my app and if you find and replace these lines with the path of your Splunk installation you should be set:

grep -rnw '.' -e "/opt/splunk"
./bin/getalerts.py:38: splunkhome = '/opt/splunk'
./bin/starter
script.sh:5:THREATSCRIPTPATH="/opt/splunk/etc/apps/optivthreatintel/bin/optivthreatlists.py"
./bin/starterscript.sh:6:RSSSCRIPTPATH="/opt/splunk/etc/apps/optivthreatintel/bin/getalerts.py"
./bin/starter
script.sh:7:#LOGFOLDER="/opt/splunk/etc/apps/optivthreatintel/bin/"
./bin/starter
script.sh:8:LOGFOLDER="/opt/splunk/var/log/splunk/"
./bin/starter
script.sh:9:PYTHON="/opt/splunk/bin/splunk cmd python"
./bin/optivthreatlists.py:64: splunk_home = '/opt/splunk'

wherever it says /opt/splunk, sub in your path.

0 Karma