Splunk Enterprise Security

msg="A script exited abnormally input="$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py " stanza="default" status="exited with code 1"

mcronkrite
Splunk Employee
Splunk Employee

msg="A script exited abnormally input="$SPLUNK_HOME/etc/apps/Splunk_CiscoIPS/bin/get_ips_feed.py " stanza="default" status="exited with code 1"

Error Message appears twice, once for each indexer every 4 hours.
Running Splunk 6.0.2, Splunk Enterprise Security 3.0.1

0 Karma
1 Solution

sfmike
Explorer

This error is occurring because Enterprise Security contains a "configuration_checker.py" modular input that attempts to alert you when misconfigurations are detected - we attempt to be proactive and alert to conditions that might be causing the application to misbehave.

In this case, the intent of the alert is to alert when a scripted input or modular input has exited abnormally. The definition of "abnormally" that we use means "exited with a non-zero exit code".

Sometimes, as in this case, this particular check backfires. The error you're seeing is benign and is occurring because the scripted inputs included with the TA-windows add-on use non-zero exit codes even when they exit successfully. This has been corrected in an upcoming version (which of course doesn't help in this instance).

If you would like to just get rid of the message, you can disable this input stanza in the Manager:

Settings --> Data Inputs --> Configuration Checker --> confcheck_script_errors
However, that would disable the exit status checking for ALL scripted and modular inputs on the system. If you'd like a more robust solution, reach out to support and mention this posting, and we can provide a small patch to the configuration_checker.py script which will deal with this in a more intelligent fashion - with the caveat that it wouldn't persist beyond an upgrade.

View solution in original post

bpaul_splunk
Splunk Employee
Splunk Employee

With Enterprise Security version 3.3.0, you can now adjust the configuration script, rather than disable it.

  1. go to the Settings > Data Inputs page.
  2. Click on Configuration Checker.
  3. Modify the "Suppression string" parameter of confcheck_script_errors to exclude the items needing to be suppressed.

Only do this if you are sure the script is exiting normally, and returning the referenced code value.

sfmike
Explorer

This error is occurring because Enterprise Security contains a "configuration_checker.py" modular input that attempts to alert you when misconfigurations are detected - we attempt to be proactive and alert to conditions that might be causing the application to misbehave.

In this case, the intent of the alert is to alert when a scripted input or modular input has exited abnormally. The definition of "abnormally" that we use means "exited with a non-zero exit code".

Sometimes, as in this case, this particular check backfires. The error you're seeing is benign and is occurring because the scripted inputs included with the TA-windows add-on use non-zero exit codes even when they exit successfully. This has been corrected in an upcoming version (which of course doesn't help in this instance).

If you would like to just get rid of the message, you can disable this input stanza in the Manager:

Settings --> Data Inputs --> Configuration Checker --> confcheck_script_errors
However, that would disable the exit status checking for ALL scripted and modular inputs on the system. If you'd like a more robust solution, reach out to support and mention this posting, and we can provide a small patch to the configuration_checker.py script which will deal with this in a more intelligent fashion - with the caveat that it wouldn't persist beyond an upgrade.

mcronkrite
Splunk Employee
Splunk Employee

This worked for me. I disabled configuration checker and messages stopped.

0 Karma

mcronkrite
Splunk Employee
Splunk Employee
0 Karma

lbogle
Contributor

I have the same issue. Any responses to this?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

ES is notifying of error exit codes. The app for Cisco IPS is generating one. Why?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...