Getting Data In

Symantec Cloud Scripted Input

smaat11
Explorer

Evaluating Symantec EndPoint Protection Cloud product which has a technote for getting events into Splunk Enterprise running on a Windows Server.

Created a scripted input per the Symantec Technote

Symantec Technote

however I get the following error in SPLUNKD.log


ERROR ExecProcessor - Couldn't start command ""C:\Program Files\Splunk\bin\scripts\wrapper.sh"": FormatMessage was unable to decode error (193), (0xc1)


The scripted input uses a wrapper (wrapper.sh) for calling a python script. Contents of the wrapper.sh file are

#!/bin/bash
/usr/bin/python /Applications/Splunk/bin/scripts/ExportClient.py

If I try and execute the actual python script (ExportClient.py) from the command line I get the following error:


C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
File "scripts\ExportClient.py", line 8, in
import dateutil.parser
ImportError: No module named dateutil.parser


Any help is appreciated.

Labels (1)
Tags (1)
1 Solution

smaat11
Explorer

Finally got back to working on this...

Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....

Anyway, I partially got this to work by:

(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.

OLD

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')

NEW

## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')

(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.

View solution in original post

smaat11
Explorer

Finally got back to working on this...

Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....

Anyway, I partially got this to work by:

(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.

OLD

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')

NEW

## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')

(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.

salax
New Member

Hi smaat11,

I've encountered problem while using the script for the SEPC too.
What version of Python are you running?
I had Splunk 7.2.4 and Python2.7 with below pip installation.

splunk@SplunkServer7:/opt/splunk/bin/scripts$ pip2 list
asn1crypto (0.24.0)
certifi (2019.3.9)
cffi (1.12.3)
chardet (3.0.4)
cryptography (2.6.1)
enum34 (1.1.6)
idna (2.8)
ipaddress (1.0.22)
ndg-httpsclient (0.4.0)
pip (8.1.1)
pyasn1 (0.1.9)
pycparser (2.19)
pyOpenSSL (19.0.0)
python-dateutil (2.8.0)
requests (2.7.0)
setuptools (20.7.0)
six (1.12.0)
UNKNOWN (0.0.0)
urllib3 (1.23)
wheel (0.29.0)

Excerpt of error I'm getting within Splunkd.log

05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self._send_output(message_body)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.send(msg)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 859, in send
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.connect()
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/opt/splunk/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 129, in connect
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.sock = ssl.wrap_socket(conn, self.key_file, self.cert_file)
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" AttributeError: 'NoneType' object has no attribute 'wrap_socket'

When running directly via Python, shows below error:

splunk@SplunkServer7:/opt/splunk/bin/scripts$ python ExportClient.py
Traceback (most recent call last):
  File "ExportClient.py", line 208, in <module>
    main()
  File "ExportClient.py", line 194, in main
    total_events = total_events + len(data)
TypeError: object of type 'NoneType' has no len()

Have you encountered any of these and do you have any suggestion?

0 Karma

nagendra1111
New Member

Hi ,

My script is working fine.
It is able to get auth token and able to connect with SEPC cloud.
but in event export no logs are coming...but i am able to see logs in sepc console

0 Karma

GDustin
Path Finder

Any solution found?

0 Karma

smaat11
Explorer

Went and coped the dateutil library to the /Applications/Splunk/bin/scripts/ directory, and tried re-running ExportClient.py script from the command line. THis time received the following error:


C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
  File "scripts\ExportClient.py", line 8, in <module>
    import dateutil.parser
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\__init__.py", line 2
, in <module>
    from ._parser import parse, parser, parserinfo
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\_parser.py", line 42
, in <module>
    import six
ImportError: No module named six

My guess is the Symantec Documentation is making an assumption on what python modules are installed since now it can't seem to find "six". I am running Splunk Enterprise is 6.6.1. is there difference in the python that is included with version 7 ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...