Getting Data In

Symantec Cloud Scripted Input

Explorer

Evaluating Symantec EndPoint Protection Cloud product which has a technote for getting events into Splunk Enterprise running on a Windows Server.

Created a scripted input per the Symantec Technote

Symantec Technote

however I get the following error in SPLUNKD.log


ERROR ExecProcessor - Couldn't start command ""C:\Program Files\Splunk\bin\scripts\wrapper.sh"": FormatMessage was unable to decode error (193), (0xc1)


The scripted input uses a wrapper (wrapper.sh) for calling a python script. Contents of the wrapper.sh file are

#!/bin/bash
/usr/bin/python /Applications/Splunk/bin/scripts/ExportClient.py

If I try and execute the actual python script (ExportClient.py) from the command line I get the following error:


C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
File "scripts\ExportClient.py", line 8, in
import dateutil.parser
ImportError: No module named dateutil.parser


Any help is appreciated.

Labels (1)
Tags (1)
1 Solution

Explorer

Finally got back to working on this...

Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....

Anyway, I partially got this to work by:

(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.

OLD

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')

NEW

## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')

(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.

View solution in original post

Explorer

Finally got back to working on this...

Still new to Splunk, Python and the Symantec Cloud app, but it appeared like the Symantec instructions were written more for a Linux implementation of Splunk....

Anyway, I partially got this to work by:

(1) Upgrading to Splunk 7.03
(2) Downloading/Copying the Dateutil library into the \bin\scripts directory
(3) Changing the Path variable to the SEPConfig.Ini file in the ExportClient.py script.

OLD

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')

NEW

## Full path to my Splunk installation
MySplunk_Home = 'C:\Program Files\Splunk'

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
export_api = "/sccs/v1/events/export"
CONFIG_INI = os.path.join(MySplunk_Home, 'bin', 'scripts', 'SEPCloudConfig.ini')

(4) Changing the Scripted Input to reference the actual ExportClient.py script instead of the Wrapper.sh file provided by Symantec.

View solution in original post

New Member

Hi smaat11,

I've encountered problem while using the script for the SEPC too.
What version of Python are you running?
I had Splunk 7.2.4 and Python2.7 with below pip installation.

splunk@SplunkServer7:/opt/splunk/bin/scripts$ pip2 list
asn1crypto (0.24.0)
certifi (2019.3.9)
cffi (1.12.3)
chardet (3.0.4)
cryptography (2.6.1)
enum34 (1.1.6)
idna (2.8)
ipaddress (1.0.22)
ndg-httpsclient (0.4.0)
pip (8.1.1)
pyasn1 (0.1.9)
pycparser (2.19)
pyOpenSSL (19.0.0)
python-dateutil (2.8.0)
requests (2.7.0)
setuptools (20.7.0)
six (1.12.0)
UNKNOWN (0.0.0)
urllib3 (1.23)
wheel (0.29.0)

Excerpt of error I'm getting within Splunkd.log

05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self._send_output(message_body)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 897, in _send_output
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.send(msg)
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/usr/lib/python2.7/httplib.py", line 859, in send
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.connect()
05-09-2019 13:27:39.642 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"   File "/opt/splunk/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 129, in connect
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh"     self.sock = ssl.wrap_socket(conn, self.key_file, self.cert_file)
05-09-2019 13:27:39.643 +0800 ERROR ExecProcessor - message from "/opt/splunk/bin/scripts/wrapper.sh" AttributeError: 'NoneType' object has no attribute 'wrap_socket'

When running directly via Python, shows below error:

splunk@SplunkServer7:/opt/splunk/bin/scripts$ python ExportClient.py
Traceback (most recent call last):
  File "ExportClient.py", line 208, in <module>
    main()
  File "ExportClient.py", line 194, in main
    total_events = total_events + len(data)
TypeError: object of type 'NoneType' has no len()

Have you encountered any of these and do you have any suggestion?

0 Karma

New Member

Hi ,

My script is working fine.
It is able to get auth token and able to connect with SEPC cloud.
but in event export no logs are coming...but i am able to see logs in sepc console

0 Karma

Path Finder

Any solution found?

0 Karma

Explorer

Went and coped the dateutil library to the /Applications/Splunk/bin/scripts/ directory, and tried re-running ExportClient.py script from the command line. THis time received the following error:


C:\Program Files\Splunk\bin>splunk cmd python scripts\ExportClient.py
Traceback (most recent call last):
  File "scripts\ExportClient.py", line 8, in <module>
    import dateutil.parser
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\__init__.py", line 2
, in <module>
    from ._parser import parse, parser, parserinfo
  File "C:\Program Files\Splunk\bin\scripts\dateutil\parser\_parser.py", line 42
, in <module>
    import six
ImportError: No module named six

My guess is the Symantec Documentation is making an assumption on what python modules are installed since now it can't seem to find "six". I am running Splunk Enterprise is 6.6.1. is there difference in the python that is included with version 7 ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!