Archive

Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

Communicator

Hello,

we have configured Splunk_TA_cisco-ips. We set up everything as per the guide, but we keep getting this error if we search:

index="_internal" sourcetype="sdee_connection"

Tue Dec 16 17:51:55 2014 - Could not get IPS x.x.x.x credentials from splunk: SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/Splunk_TA_cisco-ips/storage/passwords: [Errno 111] Connection refused',)

The credentials that we use are working as we tried to access the system. Can it be something else ?

Thanks

Communicator

Hello,

we installed the new version of cisco ips addon 6.1.2 and it seems that the conenction is ok, So the script is successful logged on.
sdee_get.log

Mon Jan 19 07:18:39 2015 - INFO - Checking for exsisting SubscriptionID on host: x.x.xx
Mon Jan 19 07:18:40 2015 - INFO - SubscriptionID: sub-4-711f2b1c found for host: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Successfully connected to: x.x.x.x

the \var\log\ and var\run folders and files inside them are created automatically( didnt happen in the previous version) . But still ips_sdee.log.x.x.x.x file inside /opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log remains empty

Any idea ?

0 Karma

Explorer

I seem to have the same issue. Working with a support engineer he had me test from the command line using:
./splunk cmd python /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15
That returns "invalid command-line arguments"

If I place the username and password on the commandline prior to ips_host it executes but fails reading:

Wed Dec 17 15:45:32 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - Attempting to connect to sensor: ips_host

Wed Dec 17 15:45:32 2014 - INFO - Successfully connected to: ips_host

Wed Dec 17 15:45:32 2014 - ERROR - Connecting to sensor - ips_host: URLError:

if I use curl from the commandline (--insecure to accept my self-signed cert)
curl --insecure --user ADMINUSER:PASSWORD https://ips_host/cgi-bin/sdee-server

I get the expected XML data

Explorer

thanks, I confirm that by grabbing my session key and feeding it in I do get
Thu Dec 18 16:15:29 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Attempting to connect to sensor: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Successfully connected to: ips_host
Thu Dec 18 16:15:29 2014 - ERROR - Connecting to sensor - ips_host: URLError:

then if I ctrl+c to cancel that command I get

File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 303, in
run(username,password,sys.argv[1],sys.argv[2],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 94, in run
time.sleep(300)

0 Karma

Splunk Employee
Splunk Employee

Thank you for additional info, whistj.

The script is expecting a valid session_key for an account that can retrieve the credential (this is why the inputs.conf contains the "passAuth = splunk-system-user" setting). It is expecting to find this in stdin

You can get a session key several ways. One way is from the search app in the UI.

| rest /services/authentication/httpauth-tokens | search (userName="ADMIN_USER") searchId="" | stats first(authString) as session_key

That session_key may be passed via stdin via CLI to approximate the scripted input's behavior:

echo <actual session_key> | /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py <ips_host> 15
0 Karma

Splunk Employee
Splunk Employee

Note: The above should produce the same result you're seeing from Splunk in the logs. I provided that information to eliminate the "invalid command-line arguments" when testing manually but I would expect the same error whether invoked manually or by Splunk.

0 Karma

Communicator

we i try to manually execute the script putting the username and password i get this:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 289, in
run(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 76, in run
open(os.path.join(RUN_DIR, host + '.run'), 'w').close()
IOError: [Errno 2] No such file or directory: '/opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/run/x.x.x.x.run'

Indeed the var/log foder inside the /opt/splunk/etc/apps/Splunk_TA_cisco-ips is not created

0 Karma

Splunk Employee
Splunk Employee

Thank you Arber. That path problem has been resolved via ADDON-2386. That fix will be included in the next maintenance release. In the meantime, if you create the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log and $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/run manually, you still receive the credential related error?

0 Karma

Communicator

i created manually the folders but still the issue is the same.. also i get this file x.x.x.x.run but it is empty

Thanks

0 Karma

Splunk Employee
Splunk Employee

Thanks for checking, Arber. That certainly looks correct. Does the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf also look like this (i.e. disabled=false, passAuth=splunk-system-user):

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15]
disabled = false
interval = 1
passAuth = splunk-system-user 
<snip />
0 Karma

Communicator

yes it is like this

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py xxxxx 15]
disabled = false
interval = 1
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog

0 Karma

Splunk Employee
Splunk Employee

Arber, would your provide your Splunk version, Splunk build, and OS running Splunk?

0 Karma

Communicator

Splunk 6.2 build 237341 Debian 7

Thanks

0 Karma

Splunk Employee
Splunk Employee

That error is not saying the credentials are wrong, it is saying the script that queries the IPS could not load the credentials with which to try.

Can you verify that you have a credential defined in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/app.conf? We can determine next steps based on that info.

0 Karma

Communicator

Hi,

yes we have:

[credential:x.x.x.x:xxxx:]
password = xxxxxx

[install]
is_configured = 1

Thanks

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!