All Apps and Add-ons

Netwitness API: Authentication failure for search app- but not full sessions app

kprior201_lilly
Path Finder

When using the search app for RSA Netwitness, I receive the following errors.
However, when I use the non-search version of the app, I have no issues with authentication.
The credentials and environments are exactly the same otherwise. I've tried using the PassAuth and configuration file authentication options, but I get the same results regardless. Any advice?

ERROR: Check settings in nwsdk_query.conf.
ERROR: Couldn't read authentication details PassAuth or from nwsdk_query.conf.
0 Karma
1 Solution

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

View solution in original post

rataide
Path Finder

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

kprior201_lilly
Path Finder

I did try to configure via UI, but I've reverted to the hard coding for testing at least. I saw in a different post that there may be a SSO issue, so I figured I'd start there.

The query I'm using is exactly the one you mentioned above just so I can verify functionality. I'm trying to work around the issue by creating the filter within Netwitness itself for the time being, but it's not cooperating either (of course). haha.

0 Karma

rataide
Path Finder

Hell again,

Just wondering if you were able to solve the issue?

Thank you,

Rui

rataide
Path Finder

Yes, SSO is an issue. If that is the case then hard-coded should work but you need to remove the PassAuth config setting in inputs.conf.

And yes, the approach of controlling with something on the NetWitness side is ideal as on the Splunk side it would require a restart.

So something like below would be ideal

query = select * where alert='Splunk_alert'

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...