Installation

Getting error messages after Splunk Enterprise Security upgrade from 4.5.2 to 4.7.1.

Path Finder

Hi,

We have upgraded Enterprise Security from 4.5.2. to 4.7.1. After the upgrade we are getting two types of error messages in our environment.

Type 1:

msg="A script exited abnormally" input="/opt/splunk/etc/apps/SA-Utils/bin/configurationcheck.py" stanza="configurationcheck://confcheckesapp_version" status="exited with code 3"

Type 2:

A threat intelligence download has failed. stanza="iblocklistspyware" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklistproxy" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklisttor" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklistpiratebay" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklistwebattacker" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklistrapidshare" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklistlogmein" host="xxxxx" status="threat list download failed after multiple retries"

Could you please suggest how to resolve this issue?

Labels (1)

Path Finder

We had this same issue after upgrade to 4.7.0 - Splunk Support advised it was a bug in this version and provided the following fix, which worked for us -

Edit splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configurationchecks/confcheckfailedthreatdownload.py as below:

--- confcheck_failed_threat_download.old.py 
+++ confcheck_failed_threat_download.py 
@@ -33,7 +33,7 @@ 

messages = [] 

- job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest) 
+ job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest) 
while elapsed < srch_timeout: 
if job.isDone: 
if job.resultCount > 0 or job.eventCount > 0:
0 Karma

Splunk Employee
Splunk Employee

make sure that the directory still owned by the correct user

0 Karma

Path Finder

yes directory owned by correct user.

0 Karma

Communicator

I'm seeing 3 of the iblocklist* ones too, along with malware_domains. Our ES is running on Splunk Cloud

0 Karma