Developing for Splunk Enterprise

Retrieve Credentials from Splunk for a Custom Alert Action - Client is not authenticated

Explorer

Currently using Splunk 6.2.3

I have a python script that is being executed as part of a Custom Alert Action. This script retrieves credentials (for our internal tickets system) that are stored in a Splunk App I set up.

I have been following this blog post for the setup of my script: https://www.splunk.com/blog/2011/03/15/storing-encrypted-credentials.html

NOTE: I chose to have it send me an email with the error message instead of having to go check a log file, so the sendErrorEmail is something I defined.

However, when my script runs, i keep getting the error: "Could not get My_App credentials from splunk. Error: [HTTP 401] Client is not authenticated"

Below is my script code. Any idea what I'm doing wrong or if there is something I'm missing?

def getCredentials(sessionKey):
    myapp = 'My_App'

    #Trims off "sessionKey=" from readline
    #Even if I remove this line, my script doesn't work
    sessionKey = sessionKey[11:]

    try:
        # list all credentials
        entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey) 
    except Exception, e:
        html = "sessionKey == " + sessionKey + "<br>&lt;br/&gt;Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        text = "Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))
        sendErrorEmail(html, text);
        raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))

    # return first set of credentials
    for i, c in entities.items(): 
        return c['username'], c['clear_password']
    html = "No credentials have been found"
    text = "No credentials have been found"
    sendErrorEmail(html, text);
    raise Exception("No credentials have been found")  

def main(): 
sessionKey = sys.stdin.readline().strip()
    if sessionKey == "":
        html = 'No sessionKey'
        text = 'No sessionKey'
        sendErrorEmail(html, text)

    username, password = getCredentials(sessionKey)
    credentials = [username, password]
0 Karma

SplunkTrust
SplunkTrust

Here are some patterns depending on what you are doing.
http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

Honestly though you are better off using the Add-On builder to make your alert actions so you get all the supporting code.

0 Karma

SplunkTrust
SplunkTrust

Are you sure that Alert actions is showing under Settings in Splunk Web? Because as far as I know Custom Alert action introduced since Splunk 6.3 so it will not work in Splunk 6.2.3

If you are running Splunk 6.3 or higher then you will able to fetch session_key from payload. Please refer example script http://docs.splunk.com/Documentation/Splunk/6.6.3/AdvancedDev/ModAlertsBasicExample

0 Karma

Explorer

The custom alert action is relatively new, but even in older versions of Splunk, "Run a script" has been an option for alerts. That's what I am using to execute my script.

0 Karma

That looks like the session key passed is not valid.

Could you print everything Splunk is passing to stdin?

0 Karma

Explorer

That was my guess too, but I can't figure out what it's not liking about my session key.

sys.stdin.readline().strip() gives the following:
sessionKey=JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

sessionKey = sessionKey[11:] makes it the following:
JcAM%5EMTPFZxlMfZgKthwNjbsqneDpCyUYh4Tf_sM4BviMnfgPXV86NsdIKlpFNQqFQxakLQWC9EbkNPSZTPuioEcTg34EopEcsSn8dhjWIZHTZRcEUCh%5EDSectftoLS4FXcgDHo5bCMjKo

I have tried passing it with the "sessionKey=" in the beginning and without it, and both times I still get the "could not authenticate" error.

0 Karma

New Member

Maybe a bit late on this one, but it looks like your session key needs to be URL decoded.

0 Karma

Hi Celeste,

The blogpost you are basing your script on is quite old (2011), and in the current python SDK i'm using there is no splunk.entity module.
Which SDK version are you using?

Here is how I manage to retrieve credentials using Python SDK version 1.6.2:

service = client.Service(token=sessionKey)

# service.storage_passwords.create('test','damien','SPLUNK ANSWERS')

print service.storage_passwords.list(**{"search": "SPLUNK ANSWERS"})[0].content

For this example the output is as following:

{'username': 'damien', 'encr_password': '$1$gfY5DWk=', 'realm': 'SPLUNK ANSWERS', 'clear_password': 'test', 'password': '********'}

Hope that helps!

0 Karma