Solved: Re: Splunk for Microsoft Exchange Application

michaeloleary · ‎08-15-2012

Hey Folks,

I'm trying to get the reputation check script running on a mail server at the moment and I'm running into some difficulty. Unfortunately the Dashboard is displaying N/A for the reputation check, I have tried troubleshooting the issue by running the command locally.

*C:\Program Files\SplunkUniversalForwarder\bin>splunk cmd "C:\Program Files\Splun
kUniversalForwarder\etc\apps\fwd_reputation\bin\check_my_reputation.py"
CreateProcess: error 193
couldn't run "C:\Program Files\SplunkUniversalForwarder\etc\apps\fwd_reputation\
bin\check_my_reputation.py": The parameter is incorrect.*

The only configuration change for this script that I can see is that I need to set the IP address of my mail server in reputation.conf file as per the document located at the following:

http://docs.splunk.com/Documentation/MSExchange/latest/DeployMSX/Makeconfigurationchangestomatchyour...

I'm trying to figure out what parameter the script is referring that is causing the script to fail, would anyone know what could be causing this?

Any help you guys can provide would be greatly appreciated.

Regards
Mike

ahall_splunk · ‎08-15-2012

This is, unfortunately, a known bug that will be fixed in the next version. Go into the $SPLUNK_HOME/etc/apps/TA-SMTP-Reputation/default directory and edit the inputs.conf file - change all referenced for fwd_reputation to TA-SMTP-Reputation (global search and replace). Save the file, then restart your splunk instance.

View solution in original post

ahall_splunk · ‎08-15-2012

Also, note that - per the documentation - you need to run TA-SMTP-Reputation on a Heavy Forwarder - the Universal Forwarder cannot run Python based scripted inputs such as this one. (sorry - just noticed that from your command line).

View solution in original post

ahall_splunk · ‎08-15-2012

Also, note that - per the documentation - you need to run TA-SMTP-Reputation on a Heavy Forwarder - the Universal Forwarder cannot run Python based scripted inputs such as this one. (sorry - just noticed that from your command line).

malmoore · ‎08-22-2012

Docs updated.

ahall_splunk · ‎08-16-2012

Noted - I'll get the docs clarified.

michaeloleary · ‎08-15-2012

Thanks for the help Adrian, I was able to make the appropriate changes to rectify the issue based on the info you gave 🙂

On another note I can't find the information about the heavy forwarder, I can only assume I'm using an old version of the documentation.

ahall_splunk · ‎08-15-2012

This is, unfortunately, a known bug that will be fixed in the next version. Go into the $SPLUNK_HOME/etc/apps/TA-SMTP-Reputation/default directory and edit the inputs.conf file - change all referenced for fwd_reputation to TA-SMTP-Reputation (global search and replace). Save the file, then restart your splunk instance.

ahall_splunk · ‎08-15-2012

Yes it does. The genesis is that the TA used to be called fwd_reputation, but we renamed it to follow the standard TA naming scheme, and forgot to update the references. It's already been fixed in the SCM, but I'm doing a bunch of other fixes before I do the next release.

michaeloleary · ‎08-15-2012

I'm just looking at the python script I see the following line of code too.

app_path = os.path.join(os.environ["SPLUNK_HOME"], 'etc', 'apps', 'fwd_reputation')

I'm no python programmer but I'm assuming that needs to change as well.

Splunk for Microsoft Exchange Application

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?