Archive

Qualys App for Splunk Enterprise: Why am I getting error "Could not get qualys_splunk_app credentials from splunk"?

Communicator

I try to enter credentials, but no data arrives.

I search index=_internal, and found this:

04-04-2016 13:42:48.550 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh" Exception: Could not get qualys_splunk_app credentials from splunk. Error: 'str' object has no attribute 'os_startIndex'
04-04-2016 13:42:48.550 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh"     % (myapp, str(e)))
04-04-2016 13:42:48.541 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh"   File "/opt/splunk/etc/apps/qualys_splunk_app/bin/../qualys_splunk_kb_populator.py", line 71, in getCredentials
04-04-2016 13:42:48.541 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh"     api_user, api_password = getCredentials(sessionKey)
04-04-2016 13:42:48.541 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh"   File "/opt/splunk/etc/apps/qualys_splunk_app/bin/../qualys_splunk_kb_populator.py", line 110, in <module>
04-04-2016 13:42:48.541 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh" Traceback (most recent call last):
04-04-2016 13:42:48.541 +0200 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/qualys_splunk_app/bin/qualys_kb_logger.sh" No handlers could be found for logger "splunk.rest.format"

I see stored password in https://mysplunkhost:8089/servicesNS/nobody/qualys_splunk_app/storage/passwords - it is correct and works with browser.

I tested it on Splunk 6.3 branch.

The app is not working.

0 Karma

New Member

Even i came across this problem. After checking multiple places one observation if the splunk is installed using root the app will work else it will have problems. I tried the same setup in test environment and the app was working without any issues where splunk was installed using root account.

0 Karma

Path Finder

It is recommended to store passwords in your splunk app as encrypted. Saving plain text password in properties.conf is a very bad idea and may be exploited by the bad guy.

Splunk provides a REST endpoint for securely storing credentials. More information is here: http://blogs.splunk.com/2011/03/15/storing-encrypted-credentials/

Follow the steps and secure your app in the Splunk way. It could also get decrypted password from Splunk using getEntities and appropriate calls.

Once you save the credentials from the setup page of your app, you will find an encrypted password in passwords.conf property file .

If above answer solves your problem or helps you take decisions better, feel free to award points on the button below.

0 Karma

Path Finder

hey,
which system do you run this Splunk?
could it be possible that file ".sh" has no permission?
I think this app works

0 Karma

Communicator

It is Ubuntu 14.04 (64bit).

App was reinstalled, and all .sh files have execute permission.

In this API endpoint, I see another stored password - it is from other app, with global permission. Maybe it is the reason of conflict?

0 Karma