Splunk Enterprise Security

Splunk Enterprise Security: Why am I unable to create notable events?

meirwah
Engager

Issue I see in web_service.log :

2016-02-15 16:58:28,367 ERROR [56c203b3dd836e2840f0] init:340 - Mako failed to render:

Traceback (most recent call last):
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 336, in render_template
return templateInstance.render(template_args)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakotemplate.py", line 443, in render
return runtime.render(self, self.callable, args, data)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 803, in _render
kwargs_for_callable(callable, data))
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 835, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 860, in exec_template
callable(context, *args, kwargs)
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 22, in render_body
<%self:render/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 28, in render_render
<%self:pagedoc/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 102, in render_pagedoc
<%next:body/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/view.html", line 24, in render_body
${next.body()}
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 124, in render_body
<%call expr="parent.getFloatLayoutRow(modules, rowNumber)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 327, in render_getFloatLayoutRow
<%call expr="next.getDashboardPanel(modules, panelNamesByColumn[col])"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 84, in render_getDashboardPanel
<%call expr="parent.buildPanelContents(modules, groupName)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 231, in render_buildPanelContents
<%call expr="buildModule(module)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 195, in buildModule
<%def name="buildPanelContents(modules, panelName)"><%
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 189, in render_buildModule
<%include file="${module['templatePath']}" args="module=module"/>
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 730, in include_file
callable(ctx, kwargs_for_include(callable, context._data, **kwargs))
File "C:Program FilesSplunketcappsSA-ThreatIntelligenceappservermodulesNotableEventCreatorNotableEventCreator.html", line 1, in render_body
<%# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
File "C:Program FilesSplunketcappsSA-ThreatIntelligencebinshortcutsinit.py", line 162, in getOwners
unused_response, content = KvStoreHandler.get(None, session_key, options)
File "C:Program FilesSplunketcappsSA-UtilslibSolnCommonkvstore.py", line 37, in get
response, content = splunk.rest.simpleRequest(uri, sessionKey=session_key)
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkrestinit.py", line 529, in simpleRequest
raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_owne...; [{'type': 'ERROR', 'text': 'Application is disabled: SA-ThreatIntelligence', 'code': None}]

2016-02-15 16:58:28,401 ERROR [56c203b3dd836e2840f0] init:321 - Unable to obtain template "dashboard.html":

Traceback (most recent call last):
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 316, in render_template
templateInstance = mako_lookup.get_template(template_name)
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 199, in get_template
raise exceptions.TopLevelLookupException(_("Splunk has failed to locate the template for uri '%s'." % uri))
TopLevelLookupException: Splunk has failed to locate the template for uri 'dashboard.html'.
0 Karma

pellegrini
Path Finder

We had same error "Error updating FIPS compliance settings."
Based on your errors above I don't think you have same issue as us but consider to add own debug logging into the Python code. See https://answers.splunk.com/answers/814828/error-updating-fips-compliance-settings-during-es.html?chi... for example.

Also look at splunkd_access.log

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

This "Application is disabled: SA-ThreatIntelligence" is not normal. Did the ES installation went well ? Look for essinstall.log in your log directory.
Can you check which app sare not enabled, and try to enable them.

meirwah
Engager

I have this issue in the install:

2016-02-10 21:53:46,782 ERROR msg="Error updating FIPS compliance settings."
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\SplunkEnterpriseSecuritySuite\bin\install\deploy_fips_compliant_settings.py", line 138, in deployFips
    incident_review_lookup_empty = isLookupEmpty(IR_LOOKUP, IR_APP, DEFAULT_OWNER, key)
  File "C:\Program Files\Splunk\etc\apps\SplunkEnterpriseSecuritySuite\bin\install\deploy_fips_compliant_settings.py", line 65, in isLookupEmpty
    transform = SplunkLookupTransform.get(SplunkLookupTransform.build_id(lookup_name, namespace, owner), sessionKey=key)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 548, in get
    return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 528, in get
    entity = self._get_entity(id, host_path=host_path)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 444, in _get_entity
    return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 249, in getEntity
    serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 529, in simpleRequest
    raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/data/transforms/lookups/incident_revi...; [{'code': None, 'text': 'Application is disabled: SA-ThreatIntelligence', 'type': 'ERROR'}]
2016-02-10 21:53:46,798 INFO Forcing refresh for identity manager modular input: category="force_asset"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...