Splunk SOAR

Error phantom_forward:129 Splunk_home\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

chaixl
Explorer

My the Phantom app's phantom_forwarding.log generated such logs: phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

Describe my current situation:

I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, phantom can receive the event. But the Phantom add-on can't  automatically forward events to phantom,  error logs appear in the phantom_forwarding.log. How to solve the error in the phantom_forwarding.log?

Labels (2)
1 Solution

ryansaunders
Explorer

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

View solution in original post

0 Karma

ryansaunders
Explorer

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

0 Karma

chaixl
Explorer

Thanks all for your help,

When I upgrade version 4.0.35 of the Phantom App, the problem is solved.

Thanks a lot.

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Could you provide more info of the set-up in splunk as well as the errors you're getting?

0 Karma

chaixl
Explorer

I am currently using Splunk Enterprise 8.1.0.1  and Phantom version 4.9.39220. 

 The error I'm getting is the Phantom add-on for Splunk can't  automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below:

2020-12-07 15:36:52,372 ERROR	phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

 I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log 

Here is my set-up in splunk:

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

 

1607566505(1).png

 

1607566578(1).png

 

1607566685(1).png

 

1607567371(1).png

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...