Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with troubleshooting errors in Splunk Enterprise Security: what script is ran to show this error message?

R_B
Path Finder
‎08-08-2017 01:38 PM

Hello Splunk community,

I am having a problem with Enterprise Security. All of the threat intelligences are not able to download, as I am getting the following errors: Search peer SEARCH_HEAD_HOSTNAME has the following message: msg="A threat intelligence download has failed" stanza="iblocklist_web_attacker" status="threat list download failed after multiple retries".

I found that in /SPLUNK_HOME/etc/apps/SA=ThreatIntelligence/default/input.conf there is a stanza for each threat intelligence:
[threatlist://iblocklist_proxy]
disabled = 0
delim_regex = :
description = Addresses that are commonly associated with known traffic-proxy sites
fields = ip:$2,description:$1
type = threatlist
url = http://list.iblocklist.com/?list=bt_proxy

The url field in each stanza shows the exact URL that Splunk will try to access to download the threat intelligence. However, what script or piece of code in Splunk or the Enterprise Security app attempts to access the URLs? I want to run that script manually to see what kind of errors I'm receiving.

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎08-08-2017 04:16 PM

Information about the threat intelligence framework and sources
Splunk Enterprise Security includes a threat intelligence framework and threat intelligence sources that attempt to perform these downloads. A modular input performs the download requests (that's what you found in the input.conf file)

Troubleshooting your specific problem
If the threat sources are failing to download, there are several potential root causes:

  • Is your instance connected to the internet? Are there firewall or proxy rules in place that might prevent the modular input from making these calls to the internet?
  • Are you using a version of Splunk Enterprise Security with a known bug that produces these messages in error (says that the downloads are failing when they are not)? Versions 4.7.0 and 4.7.1 have this bug.

Review the log files related to see the exact error messages, and other verification steps, see: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Verifythreatintel

Reply

R_B
Path Finder
‎08-11-2017 01:30 PM

Thank you very much for the information and feedback. I'm working through troubleshooting this some more using the info you provided. The version of ES I'm running is the latest version, 4.7.2. I think the first bullet you suggested is correct, there has to be something blocking the splunk server from reaching out to the threat intelligences, my next step is to just figure out what exactly that is. I will update this post with an answer when I figure it out, or some more questions if I get stuck again. Thanks!

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎08-11-2017 01:42 PM

Thanks for the update! I hope it's easy to fix after you find out what's causing the problem. Good luck!

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...