Installation

Proof point email security app A-Proofpoint-TAP stopped ingesting log.

msplunk33
Path Finder
Proof point email security app TA-Proofpoint-TAP stopped ingesting log. I get the below SSL error message in the splunkd.log. I have installed all the necessary certificate still I get this below error. I tried with with curl command it is connecting and returning log. But when this app connect using proofpoint_tap_siem.py I get this below error. I even disabled the SSL verifcation by seeing this in script 
 VALIDATE_SSL = False in proofpoint_tap_siem.py line 43. But still the same error. I use Splunk 7.5.3 on readhat Linux and python 2.7 and TA-Proofpoint-TAP version 2.0
 
12-29-2020 16:05:58.949 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://proofpoint_tap_siem: query_and_save/Could not query TAP URL- https://tap-api-v2.proofpoint.com/v2/siem/all?format=json&threatStatus=falsePositive&threatStatus=active&threatStatus=cleared&interval=2020-12-29T09%3A21%3A41Z%2F2020-12-29T10%3A21%3A40Z ([SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:742))
Labels (1)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @msplunk33,

Script is deciding ssl validation by checking URL is default or not. You should set VALIDATE_SSL to False on below line 217 in proofpoint_tap_siem.py.

self.VALIDATE_SSL = True if (self.SIEM_URL_HOST == self.SIEM_URL_DEFAULT_HOST) else False

to 

self.VALIDATE_SSL = False

 

Of course if you upgrade the app this setting will be lost. It is better checking certificate problem again.

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote is appreciated.

msplunk33
Path Finder

After commenting the line 217 ssl error disappear. But the log still not ingesting. I can see the below log in the splunkd.log but no log is ingesting.

 

12/30/20
6:12:37.069 PM
 
12-30-2020 18:12:37.069 -0500 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://proofpoint_tap_siem: query_and_save/Successful query from 2020-12-30T23:11:37Z to 2020-12-30T23:12:36Z

 

from ta_pps_ondemand_proofpoint_mail_log.log I can see only this message. No other errors

resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-pps_ondemand/bin/ta_pps_ondemand/aob_py2/solnlib/packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-pps_ondemand/bin/ta_pps_ondemand/aob_py2/solnlib/packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-pps_ondemand/TA_pps_ondemand_account?--cred--=1&output_mode=json&count=0 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fbe5c456210>: Failed to establish a new connection: [Errno 111] Connection refused',))

2020-12-30 10:24:49,262 INFO pid=31191 tid=MainThread file=setup_util.py:log_info:117 | Log level is not set, use default INFO
2020-12-30 10:24:50,659 INFO pid=31191 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2020-12-30 10:24:50,660 INFO pid=31191 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling



Tags (1)
0 Karma

msplunk33
Path Finder

I got this message also in the

 

12/30/20
6:38:38.240 PM
 
12-30-2020 18:38:38.240 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://proofpoint_tap_siem: query_and_save/Querying from 2020-12-30T23:37:37Z to 2020-12-30T23:38:37Z, but SIEM server returned: 400 Bad Request
  •  
Tags (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!