Evaluating Symantec EndPoint Protection Cloud product which has a technote for getting events into Splunk Enterprise running on a Windows Server.
Created a scripted input per the Symantec Technote
however I get the following error in SPLUNKD.log
ERROR ExecProcessor - Couldn't start command ""C:\Program Files\Splunk\bin\scripts\wrapper.sh"": FormatMessage was unable to decode error (193), (0xc1)
The scripted input uses a wrapper (wrapper.sh) for calling a python script. Contents of the wrapper.sh file are
#!/bin/bash
/usr/bin/python /Applications/Splunk/bin/scripts/ExportClient.py
If I try and execute the actual python script (ExportClient.py) from the command line I get the following error:
C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
File "scripts\ExportClient.py", line 8, in
import dateutil.parser
ImportError: No module named dateutil.parser
Any help is appreciated.
Finally got back to working on this...
Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....
Anyway, I partially got this to work by:
(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.
OLD
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
NEW
## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')
(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.
Finally got back to working on this...
Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....
Anyway, I partially got this to work by:
(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.
OLD
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
NEW
## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')
(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.
Hi smaat11,
I've encountered problem while using the script for the SEPC too.
What version of Python are you running?
I had Splunk 7.2.4 and Python2.7 with below pip installation.
splunk@SplunkServer7:/opt/splunk/bin/scripts$ pip2 list
asn1crypto (0.24.0)
certifi (2019.3.9)
cffi (1.12.3)
chardet (3.0.4)
cryptography (2.6.1)
enum34 (1.1.6)
idna (2.8)
ipaddress (1.0.22)
ndg-httpsclient (0.4.0)
pip (8.1.1)
pyasn1 (0.1.9)
pycparser (2.19)
pyOpenSSL (19.0.0)
python-dateutil (2.8.0)
requests (2.7.0)
setuptools (20.7.0)
six (1.12.0)
UNKNOWN (0.0.0)
urllib3 (1.23)
wheel (0.29.0)
Excerpt of error I'm getting within Splunkd.log
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" self._send_output(message_body)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" self.send(msg)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" File "/usr/lib/python2.7/httplib.py", line 859, in send
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" self.connect()
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" File "/opt/splunk/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 129, in connect
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" self.sock = ssl.wrap_socket(conn, self.key_file, self.cert_file)
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" AttributeError: 'NoneType' object has no attribute 'wrap_socket'
When running directly via Python, shows below error:
splunk@SplunkServer7:/opt/splunk/bin/scripts$ python ExportClient.py
Traceback (most recent call last):
File "ExportClient.py", line 208, in <module>
main()
File "ExportClient.py", line 194, in main
total_events = total_events + len(data)
TypeError: object of type 'NoneType' has no len()
Have you encountered any of these and do you have any suggestion?
Hi ,
My script is working fine.
It is able to get auth token and able to connect with SEPC cloud.
but in event export no logs are coming...but i am able to see logs in sepc console
Any solution found?
Went and coped the dateutil library to the /Applications/Splunk/bin/scripts/ directory, and tried re-running ExportClient.py script from the command line. THis time received the following error:
C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
File "scripts\ExportClient.py", line 8, in <module>
import dateutil.parser
File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\__init__.py", line 2
, in <module>
from ._parser import parse, parser, parserinfo
File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\_parser.py", line 42
, in <module>
import six
ImportError: No module named six
My guess is the Symantec Documentation is making an assumption on what python modules are installed since now it can't seem to find "six". I am running Splunk Enterprise is 6.6.1. is there difference in the python that is included with version 7 ?