Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

splunkrajkrk
Explorer
‎10-13-2016 09:13 AM

I can't see the Threat Intelligence Audit Events in Splunk Enterprise Security

I have internet access to my serverm and yes, I can even wget http://hailataxii.com/ site successfully.
I checked the configuration for indexes.conf and inputs.conf they look good for the SA-ThreatIntelligence//local and DA-ESS-ThreatIntelligence/local/ as well

Could anyone help me out to figure out the problem?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-18-2016 08:48 PM

I'm assuming you are not using a proxy server in your environment?
Also which ES version? I'm having a similar issue in 4.5 which I have logged with Splunk support...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

splunkrajkrk
Explorer
‎10-19-2016 08:34 AM

Yes we are not using Proxy server in our environment ,version 4.1.1

and also im getting following errors from all indexers

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089

0 Karma
Reply

shellsam
Explorer
‎10-21-2016 12:04 AM

Even i'm getting the same error "Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089" can somebody help me here

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-21-2016 12:38 AM

As per ekosts's comment ahve you checked the file $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log and $SPLUNK_HOME/var/log/splunk/threatlist.log ? Or used the splunk search for these to look for problems?

The above comment also mentions "indexers", the above refers to the search heads.

Since there is minimal information I'm completely guessing, but have you pushed the distributed configuration bundle to the indexers available on:
https://:8000/en-US/app/SplunkEnterpriseSecuritySuite/ess_distributed_conf_management?earliest=0&latest=
?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

ekost
Splunk Employee
Splunk Employee
‎10-21-2016 08:36 AM

I took a look around for bugs, and found that error listed under the conditions "Subsearch errors when looking up the modular input status for each indexer in a index cluster." At this point, the error appears to be a unique issue, and should be treated independently of issues downloading threat intel sources. If you're completely stuck, and not seeing anything in the logs that clarifies what the downloading issue is, please file a support case.

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎10-18-2016 02:32 PM

I'd begin by taking a look a the _internal index for errors related to threat intel sources. Start with something like: index=_internal eventtype=threatintel_internal_logs error and see what events (if any) get returned. There are a couple common log sources that are written to for ThreatIntel processing: $SPLUNK_HOME/var/log/splunk/threatlist.log, and $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log which are tagged with that eventtype.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...