I can't see the Threat Intelligence Audit Events in Splunk Enterprise Security
I have internet access to my serverm and yes, I can even wget http://hailataxii.com/ site successfully.
I checked the configuration for indexes.conf and inputs.conf they look good for the SA-ThreatIntelligence//local and DA-ESS-ThreatIntelligence/local/ as well
Could anyone help me out to figure out the problem?
I'd begin by taking a look a the internal index for errors related to threat intel sources. Start with something like: `index=internal eventtype=threatintelinternallogs error
and see what events (if any) get returned. There are a couple common log sources that are written to for ThreatIntel processing:$SPLUNKHOME/var/log/splunk/threatlist.log
, and$SPLUNKHOME/var/log/splunk/threatintelligencemanager.log` which are tagged with that eventtype.
I'm assuming you are not using a proxy server in your environment?
Also which ES version? I'm having a similar issue in 4.5 which I have logged with Splunk support...
Yes we are not using Proxy server in our environment ,version 4.1.1
and also im getting following errors from all indexers
Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089
Even i'm getting the same error "Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089" can somebody help me here
As per ekosts's comment ahve you checked the file $SPLUNKHOME/var/log/splunk/threatintelligencemanager.log and $SPLUNKHOME/var/log/splunk/threatlist.log ? Or used the splunk search for these to look for problems?
The above comment also mentions "indexers", the above refers to the search heads.
Since there is minimal information I'm completely guessing, but have you pushed the distributed configuration bundle to the indexers available on:
I took a look around for bugs, and found that error listed under the conditions "Subsearch errors when looking up the modular input status for each indexer in a index cluster." At this point, the error appears to be a unique issue, and should be treated independently of issues downloading threat intel sources. If you're completely stuck, and not seeing anything in the logs that clarifies what the downloading issue is, please file a support case.