Currently using Splunk 6.2.3
I have a python script that is being executed as part of a Custom Alert Action. This script retrieves credentials (for our internal tickets system) that are stored in a Splunk App I set up.
I have been following this blog post for the setup of my script: https://www.splunk.com/blog/2011/03/15/storing-encrypted-credentials.html
NOTE: I chose to have it send me an email with the error message instead of having to go check a log file, so the sendErrorEmail is something I defined.
However, when my script runs, i keep getting the error: "Could not get My_App credentials from splunk. Error: [HTTP 401] Client is not authenticated"
Below is my script code. Any idea what I'm doing wrong or if there is something I'm missing?
def getCredentials(sessionKey):
myapp = 'My_App'
#Trims off "sessionKey=" from readline
#Even if I remove this line, my script doesn't work
sessionKey = sessionKey[11:]
try:
# list all credentials
entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
except Exception, e:
html = "sessionKey == " + sessionKey + "<br><br/>Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
text = "Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
sendErrorEmail(html, text);
raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
# return first set of credentials
for i, c in entities.items():
return c['username'], c['clear_password']
html = "No credentials have been found"
text = "No credentials have been found"
sendErrorEmail(html, text);
raise Exception("No credentials have been found")
def main():
sessionKey = sys.stdin.readline().strip()
if sessionKey == "":
html = 'No sessionKey'
text = 'No sessionKey'
sendErrorEmail(html, text)
username, password = getCredentials(sessionKey)
credentials = [username, password]
Here are some patterns depending on what you are doing.
http://www.georgestarcher.com/splunk-stored-encrypted-credentials/
Honestly though you are better off using the Add-On builder to make your alert actions so you get all the supporting code.
Hi @starcher
Thanks for this hint. I followed your directions at http://www.georgestarcher.com/splunk-stored-encrypted-credentials/
I'm getting the following result if I run:
import sys
from splunklib.searchcommands import dispatch, GeneratingCommand, Configuration, Option, validators
@Configuration(streaming=False, local=True, type='reporting')
class GenerateAuthInfoCommand(GeneratingCommand):
def generate(self):
storage_passwords=self.service.storage_passwords
for credential in storage_passwords:
usercreds = {'username':credential.content.get('username'),'password':credential.content.get('clear_password')}
yield usercreds
dispatch(GenerateAuthInfoCommand, sys.argv, sys.stdin, sys.stdout, __name__)
None of these results look like something I can use as a username and password. I have tried authenticating with one of them, but no luck.
Are you sure that Alert actions
is showing under Settings in Splunk Web? Because as far as I know Custom Alert action introduced since Splunk 6.3 so it will not work in Splunk 6.2.3
If you are running Splunk 6.3 or higher then you will able to fetch session_key
from payload. Please refer example script http://docs.splunk.com/Documentation/Splunk/6.6.3/AdvancedDev/ModAlertsBasicExample
The custom alert action is relatively new, but even in older versions of Splunk, "Run a script" has been an option for alerts. That's what I am using to execute my script.
That looks like the session key passed is not valid.
Could you print everything Splunk is passing to stdin?
That was my guess too, but I can't figure out what it's not liking about my session key.
sys.stdin.readline().strip() gives the following:
sessionKey=JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo
sessionKey = sessionKey[11:] makes it the following:
JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo
I have tried passing it with the "sessionKey=" in the beginning and without it, and both times I still get the "could not authenticate" error.
Maybe a bit late on this one, but it looks like your session key needs to be URL decoded.
Hi Celeste,
The blogpost you are basing your script on is quite old (2011), and in the current python SDK i'm using there is no splunk.entity
module.
Which SDK version are you using?
Here is how I manage to retrieve credentials using Python SDK version 1.6.2:
service = client.Service(token=sessionKey)
# service.storage_passwords.create('test','damien','SPLUNK ANSWERS')
print service.storage_passwords.list(**{"search": "SPLUNK ANSWERS"})[0].content
For this example the output is as following:
{'username': 'damien', 'encr_password': '$1$gfY5DWk=', 'realm': 'SPLUNK ANSWERS', 'clear_password': 'test', 'password': '********'}
Hope that helps!