Got solution to this exact problem! Please see below,
** Quick summary:
Go to /opt/splunk/etc/apps/sophos_central/local/passwords.conf
update as per below:
[credential:https://api3.central.sophos.com/gateway:DO_NOT_TOCH_THIS:]
password = DELETE_THIS_PART_AND_PASTE_AUTHORIZATION_STRING_AGAIN
Save and restart spunk. As soon as done you will see messages coming.
** Long read,
I got similar error messages in my PoC. Tested with all-in-one Splunk 6.6.4 Windows and all-in-one Splunk 6.5.2 Linux. Was fiddling around config files, trying to understand what is going on. Checked those two (but was not able to understand much 😉
* PassAuth not working in Splunk 6.2 https://answers.splunk.com/answers/307416/passauth-not-working-in-splunk-62.html
* Scripted Input - Python SDK - passAuth Not Working https://answers.splunk.com/answers/203261/scripted-input-python-sdk-passauth-not-working.html
Later observed that once initial setup completed passwords.conf looks strange. x-api-key looks the same (as the one i copy paste) but password is not equal to Authorisation script. Password starts with $ and seems like converted to some other format. Decided to paste one more time.
Initially i thought plugin/perl dos not like API URL and was playing around encoding, for example tried to pass on https%3A%2F%2Fapi3.central.sophos.com/gateway to avoid confusions with slashes and columns.
@nickhills - great work on creating plugin!!!
*** References:
Windows logs:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" Traceback (most recent call last):
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" File "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py", line 91, in
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" main()
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" File "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py", line 31, in main
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" endpoint, apiKey, auth = getCredentials(sessionKey)
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" File "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py", line 17, in getCredentials
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" if "central.sophos.com" in c['realm']:
01-07-2018 18:10:29.467 +0000 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\sophos_central\bin\sophos_events.py"" TypeError: argument of type 'NoneType' is not iterable
... View more