Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Warning after Splunk upgrade to 8.0.2 and Enterprise Security to 6.1.0

gcusello
SplunkTrust
SplunkTrust
‎02-28-2020 02:55 AM

Hi at all,
I've just upgraded Splunk Enterprise from 7.1.1 to 8.0.2, Enterprise Security from 5.2.0 to 6.1.0. and all the related apps and TAs on a Search Head.
All the upgrade is ok but I have this warning:

Health Check: One or more apps ("TA-json-alerting") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.

Where TA-json-alerting is an app that I cannot find in baseline so I wasn't able to upgrade.

At first, is it a problem or not?
Then, how can I solve it?

Ciao and thanks.

Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-28-2020 03:14 AM

Hi @gcusello
Is TA-json-alerting a custom app? Its not one I have seen before (although I have yet to perform an update to ES6)

I would guess the two obvious options are 1.) change the exports in meta to export all of the options to system for that app, or 2.) remove the TA, update ES, reinstall TA.

It maybe that the TA is not producing useful field extractions so they were never shared, perhaps it just has some scheduled searches, and fires alerts (just a guess from the TA name) In which case maybe the warning can be disregarded?

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-28-2020 03:14 AM

Hi @gcusello
Is TA-json-alerting a custom app? Its not one I have seen before (although I have yet to perform an update to ES6)

I would guess the two obvious options are 1.) change the exports in meta to export all of the options to system for that app, or 2.) remove the TA, update ES, reinstall TA.

It maybe that the TA is not producing useful field extractions so they were never shared, perhaps it just has some scheduled searches, and fires alerts (just a guess from the TA name) In which case maybe the warning can be disregarded?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-28-2020 03:27 AM

Hi @nickhillscpl,
I also have never seen this app before and I don't know if it was installed by someone outside my control or if it was installed by some other app (I thought the ES).
in apps.conf there's this:

author = MeMyselfAndI
description = Fires a JSON alert on a TCP port on each Splunk Alert triggered
version = 1.0.0

inside the App there is a README that I report below:

# Splunk to shipper

This is a simple Splunk application that fires a JSON alert on a TCP port on each Splunk Alert triggered

The script is invoked and gets the payload from stdin.
It will then get shipper_host and shipper_port from the configuration and push the payload to the shipper.

## Build

You'll need to install `slim` and `splunk-appinspect`
Slim: http://dev.splunk.com/view/packaging-toolkit/SP-CAAAE96
Splunk-appinspect: http://dev.splunk.com/view/appinspect/SP-CAAAFAK

Then run:
```
cd misc
slim package splunkapp
splunk-appinspect inspect splunkapp-1.0.0.tar.gz

Before modify something I'd like to be sure of the activity!

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-28-2020 03:35 AM

I wonder if thats an elastic shipper?
It certainly does not look like a Splunk provided app from app.conf!
Are you able to see what it has in the config file for the shipper_host/shipper_port - that might help confirm what the target is.

My guess, (based on its name) looks pretty good though 🙂

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-28-2020 03:35 AM

Another info:
in savedsearches.conf there's the following option

request.ui_dispatch_app = SplunkEnterpriseSecuritySuite

it seems to be a part of ES.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-28-2020 03:38 AM

I guess that makes sense if they are sending alerts to another platform. I wonder if they shared the searches and the alerts, but just forgot to share something unimportant.

Is there anything obvious from the meta files which might show what is not exported?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-28-2020 03:07 AM

Hi at all,
in addition, I found that there are many errors (Invalid key) at startup, below the first ten but they are many more):

Invalid key in stanza [Access - Account Deleted - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 27: alert_comparator  (value:  greater than).
Invalid key in stanza [Access - Account Deleted - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 28: alert_threshold  (value:  0).
Invalid key in stanza [Access - Account Deleted - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 29: alert_type  (value:  number of events).
Invalid key in stanza [Access - Brute Force Access Behavior Detected - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 70: alert_comparator  (value:  greater than).
Invalid key in stanza [Access - Brute Force Access Behavior Detected - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 71: alert_threshold  (value:  0).
Invalid key in stanza [Access - Brute Force Access Behavior Detected - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 72: alert_type  (value:  number of events).
Invalid key in stanza [Access - Brute Force Access Behavior Detected Over 1d - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 112: alert_comparator  (value:  greater than).
Invalid key in stanza [Access - Brute Force Access Behavior Detected Over 1d - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 113: alert_threshold  (value:  0).
Invalid key in stanza [Access - Brute Force Access Behavior Detected Over 1d - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 114: alert_type  (value:  number of events).
Invalid key in stanza [Access - Cleartext Password At Rest - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 151: alert_comparator  (value:  greater than).
Invalid key in stanza [Access - Cleartext Password At Rest - CFC Rule] in /opt/splunk/etc/apps/DA-ESS-CFC_custom/default/savedsearches.conf, line 152: alert_threshold  (value:  0).

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...