Hi @msplunk33,
Script is deciding ssl validation by checking URL is default or not. You should set VALIDATE_SSL to False on below line 217 in proofpoint_tap_siem.py.
self.VALIDATE_SSL = True if (self.SIEM_URL_HOST == self.SIEM_URL_DEFAULT_HOST) else False
to
self.VALIDATE_SSL = False
Of course if you upgrade the app this setting will be lost. It is better checking certificate problem again.
If this reply helps you an upvote is appreciated.
After commenting the line 217 ssl error disappear. But the log still not ingesting. I can see the below log in the splunkd.log but no log is ingesting.
12/30/20 6:12:37.069 PM | 12-30-2020 18:12:37.069 -0500 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://proofpoint_tap_siem: query_and_save/Successful query from 2020-12-30T23:11:37Z to 2020-12-30T23:12:36Z |
from ta_pps_ondemand_proofpoint_mail_log.log I can see only this message. No other errors
resp = self.send(prep, **send_kwargs)
File "/opt/splunk/etc/apps/TA-pps_ondemand/bin/ta_pps_ondemand/aob_py2/solnlib/packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/opt/splunk/etc/apps/TA-pps_ondemand/bin/ta_pps_ondemand/aob_py2/solnlib/packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=8089): Max retries exceeded with url: /servicesNS/nobody/TA-pps_ondemand/TA_pps_ondemand_account?--cred--=1&output_mode=json&count=0 (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fbe5c456210>: Failed to establish a new connection: [Errno 111] Connection refused',))
2020-12-30 10:24:49,262 INFO pid=31191 tid=MainThread file=setup_util.py:log_info:117 | Log level is not set, use default INFO
2020-12-30 10:24:50,659 INFO pid=31191 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2020-12-30 10:24:50,660 INFO pid=31191 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling
I got this message also in the
12/30/20 6:38:38.240 PM | 12-30-2020 18:38:38.240 -0500 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-Proofpoint-TAP/bin/proofpoint_tap_siem.py" proofpoint_tap_siem://proofpoint_tap_siem: query_and_save/Querying from 2020-12-30T23:37:37Z to 2020-12-30T23:38:37Z, but SIEM server returned: 400 Bad Request |