Splunk Search

Splunk for Cisco IPS: When running a search, why am I getting error "Could not get IPS x.x.x.x credentials from splunk"?

arber
Communicator

Hello,

we have configured Splunk_TA_cisco-ips. We set up everything as per the guide, but we keep getting this error if we search:

index="_internal" sourcetype="sdee_connection"

Tue Dec 16 17:51:55 2014 - Could not get IPS x.x.x.x credentials from splunk: SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/Splunk_TA_cisco-ips/storage/passwords: [Errno 111] Connection refused',)

The credentials that we use are working as we tried to access the system. Can it be something else ?

Thanks

arber
Communicator

Hello,

we installed the new version of cisco ips addon 6.1.2 and it seems that the conenction is ok, So the script is successful logged on.
sdee_get.log

Mon Jan 19 07:18:39 2015 - INFO - Checking for exsisting SubscriptionID on host: x.x.xx
Mon Jan 19 07:18:40 2015 - INFO - SubscriptionID: sub-4-711f2b1c found for host: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Successfully connected to: x.x.x.x

the \var\log\ and var\run folders and files inside them are created automatically( didnt happen in the previous version) . But still ips_sdee.log.x.x.x.x file inside /opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log remains empty

Any idea ?

0 Karma

whistj
Explorer

I seem to have the same issue. Working with a support engineer he had me test from the command line using:
./splunk cmd python /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15
That returns "invalid command-line arguments"

If I place the username and password on the commandline prior to ips_host it executes but fails reading:

Wed Dec 17 15:45:32 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - Attempting to connect to sensor: ips_host

Wed Dec 17 15:45:32 2014 - INFO - Successfully connected to: ips_host

Wed Dec 17 15:45:32 2014 - ERROR - Connecting to sensor - ips_host: URLError:

if I use curl from the commandline (--insecure to accept my self-signed cert)
curl --insecure --user ADMINUSER:PASSWORD https://ips_host/cgi-bin/sdee-server

I get the expected XML data

whistj
Explorer

thanks, I confirm that by grabbing my session key and feeding it in I do get
Thu Dec 18 16:15:29 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Attempting to connect to sensor: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Successfully connected to: ips_host
Thu Dec 18 16:15:29 2014 - ERROR - Connecting to sensor - ips_host: URLError:

then if I ctrl+c to cancel that command I get

File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 303, in
run(username,password,sys.argv[1],sys.argv[2],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 94, in run
time.sleep(300)

0 Karma

bwooden
Splunk Employee
Splunk Employee

Thank you for additional info, whistj.

The script is expecting a valid session_key for an account that can retrieve the credential (this is why the inputs.conf contains the "passAuth = splunk-system-user" setting). It is expecting to find this in stdin

You can get a session key several ways. One way is from the search app in the UI.

| rest /services/authentication/httpauth-tokens | search (userName="ADMIN_USER") searchId="" | stats first(authString) as session_key

That session_key may be passed via stdin via CLI to approximate the scripted input's behavior:

echo <actual session_key> | /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py <ips_host> 15
0 Karma

bwooden
Splunk Employee
Splunk Employee

Note: The above should produce the same result you're seeing from Splunk in the logs. I provided that information to eliminate the "invalid command-line arguments" when testing manually but I would expect the same error whether invoked manually or by Splunk.

0 Karma

arber
Communicator

we i try to manually execute the script putting the username and password i get this:

Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 289, in
run(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 76, in run
open(os.path.join(RUN_DIR, host + '.run'), 'w').close()
IOError: [Errno 2] No such file or directory: '/opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/run/x.x.x.x.run'

Indeed the var/log foder inside the /opt/splunk/etc/apps/Splunk_TA_cisco-ips is not created

0 Karma

bwooden
Splunk Employee
Splunk Employee

Thank you Arber. That path problem has been resolved via ADDON-2386. That fix will be included in the next maintenance release. In the meantime, if you create the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log and $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/run manually, you still receive the credential related error?

0 Karma

arber
Communicator

i created manually the folders but still the issue is the same.. also i get this file x.x.x.x.run but it is empty

Thanks

0 Karma

bwooden
Splunk Employee
Splunk Employee

Thanks for checking, Arber. That certainly looks correct. Does the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf also look like this (i.e. disabled=false, passAuth=splunk-system-user):

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15]
disabled = false
interval = 1
passAuth = splunk-system-user 
<snip />
0 Karma

arber
Communicator

yes it is like this

[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py xxxxx 15]
disabled = false
interval = 1
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog

0 Karma

bwooden
Splunk Employee
Splunk Employee

Arber, would your provide your Splunk version, Splunk build, and OS running Splunk?

0 Karma

arber
Communicator

Splunk 6.2 build 237341 Debian 7

Thanks

0 Karma

bwooden
Splunk Employee
Splunk Employee

That error is not saying the credentials are wrong, it is saying the script that queries the IPS could not load the credentials with which to try.

Can you verify that you have a credential defined in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/app.conf? We can determine next steps based on that info.

0 Karma

arber
Communicator

Hi,

yes we have:

[credential:x.x.x.x:xxxx:]
password = xxxxxx

[install]
is_configured = 1

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...