Hello,
we have configured Splunk_TA_cisco-ips. We set up everything as per the guide, but we keep getting this error if we search:
index="_internal" sourcetype="sdee_connection"
Tue Dec 16 17:51:55 2014 - Could not get IPS x.x.x.x credentials from splunk: SplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/Splunk_TA_cisco-ips/storage/passwords: [Errno 111] Connection refused',)
The credentials that we use are working as we tried to access the system. Can it be something else ?
Thanks
Hello,
we installed the new version of cisco ips addon 6.1.2 and it seems that the conenction is ok, So the script is successful logged on.
sdee_get.log
Mon Jan 19 07:18:39 2015 - INFO - Checking for exsisting SubscriptionID on host: x.x.xx
Mon Jan 19 07:18:40 2015 - INFO - SubscriptionID: sub-4-711f2b1c found for host: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Attempting to connect to sensor: x.x.x.x
Mon Jan 19 07:18:40 2015 - INFO - Successfully connected to: x.x.x.x
the \var\log\ and var\run folders and files inside them are created automatically( didnt happen in the previous version) . But still ips_sdee.log.x.x.x.x file inside /opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/log remains empty
Any idea ?
I seem to have the same issue. Working with a support engineer he had me test from the command line using:
./splunk cmd python /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15
That returns "invalid command-line arguments"
If I place the username and password on the commandline prior to ips_host it executes but fails reading:
Wed Dec 17 15:45:32 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Wed Dec 17 15:45:32 2014 - INFO - Attempting to connect to sensor: ips_host
Wed Dec 17 15:45:32 2014 - INFO - Successfully connected to: ips_host
Wed Dec 17 15:45:32 2014 - ERROR - Connecting to sensor - ips_host: URLError:
if I use curl from the commandline (--insecure to accept my self-signed cert)
curl --insecure --user ADMINUSER:PASSWORD https://ips_host/cgi-bin/sdee-server
I get the expected XML data
thanks, I confirm that by grabbing my session key and feeding it in I do get
Thu Dec 18 16:15:29 2014 - INFO - Checking for exsisting SubscriptionID on host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - No exsisting SubscriptionID for host: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Attempting to connect to sensor: ips_host
Thu Dec 18 16:15:29 2014 - INFO - Successfully connected to: ips_host
Thu Dec 18 16:15:29 2014 - ERROR - Connecting to sensor - ips_host: URLError:
then if I ctrl+c to cancel that command I get
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 303, in
run(username,password,sys.argv[1],sys.argv[2],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 94, in run
time.sleep(300)
Thank you for additional info, whistj.
The script is expecting a valid session_key for an account that can retrieve the credential (this is why the inputs.conf contains the "passAuth = splunk-system-user" setting). It is expecting to find this in stdin
You can get a session key several ways. One way is from the search app in the UI.
| rest /services/authentication/httpauth-tokens | search (userName="ADMIN_USER") searchId="" | stats first(authString) as session_key
That session_key may be passed via stdin via CLI to approximate the scripted input's behavior:
echo <actual session_key> | /opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py <ips_host> 15
Note: The above should produce the same result you're seeing from Splunk in the logs. I provided that information to eliminate the "invalid command-line arguments" when testing manually but I would expect the same error whether invoked manually or by Splunk.
we i try to manually execute the script putting the username and password i get this:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 289, in
run(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],"https","yes")
File "/opt/splunk/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py", line 76, in run
open(os.path.join(RUN_DIR, host + '.run'), 'w').close()
IOError: [Errno 2] No such file or directory: '/opt/splunk/etc/apps/Splunk_TA_cisco-ips/var/run/x.x.x.x.run'
Indeed the var/log foder inside the /opt/splunk/etc/apps/Splunk_TA_cisco-ips is not created
Thank you Arber. That path problem has been resolved via ADDON-2386. That fix will be included in the next maintenance release. In the meantime, if you create the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/log and $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/var/run manually, you still receive the credential related error?
i created manually the folders but still the issue is the same.. also i get this file x.x.x.x.run but it is empty
Thanks
Thanks for checking, Arber. That certainly looks correct. Does the $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/inputs.conf also look like this (i.e. disabled=false, passAuth=splunk-system-user):
[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py ips_host 15]
disabled = false
interval = 1
passAuth = splunk-system-user
<snip />
yes it is like this
[script://$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/bin/get_ips_feed.py xxxxx 15]
disabled = false
interval = 1
passAuth = splunk-system-user
source = SDEE
sourcetype = cisco_ips_syslog
Arber, would your provide your Splunk version, Splunk build, and OS running Splunk?
Splunk 6.2 build 237341 Debian 7
Thanks
That error is not saying the credentials are wrong, it is saying the script that queries the IPS could not load the credentials with which to try.
Can you verify that you have a credential defined in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-ips/local/app.conf? We can determine next steps based on that info.
Hi,
yes we have:
[credential:x.x.x.x:xxxx:]
password = xxxxxx
[install]
is_configured = 1
Thanks