- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Tripwire Enterprise App for Splunk Enterprise: SCM...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am having problems getting the FIM data from Tripwire Enterprise with the Python script while the SCM pull worked just fine. I have a distributed Splunk deployment so according to the TE app documentation, I put TA_te on the heavy forwarder. The Python scripts are supposed to pull the data and deposit it in /opt/teexports. I can see that /opt/te/exports/SCM is getting updated and the dashboard on the search heads is populated with the SCM data. However, there's no FIM data. Reviewing the splunkd.log I can see some Python errors as below:
10-29-2015 15:20:46.620 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" Exception: <ns0:Fault xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>SOAP-ENV:Client</faultcode><faultstring>Failed to find object in database
10-29-2015 15:20:46.620 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" (CONTENTS), id = -9223372036298495233</faultstring><detail><com.tripwire.space.core.persistence.db.ObjectNotFoundException /></detail></ns0:Fault>
10-29-2015 15:20:46.625 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" Traceback (most recent call last):
10-29-2015 15:20:46.625 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py", line 162, in <module>
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" main()
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py", line 151, in main
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" subprocess.check_call(cmd, shell=True)
10-29-2015 15:20:46.626 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" File "/opt/splunk/lib/python2.7/subprocess.py", line 540, in check_call
10-29-2015 15:20:46.628 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" raise CalledProcessError(retcode, cmd)
10-29-2015 15:20:46.628 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA_te/bin/tripwire_fim.py" subprocess.CalledProcessError: Command '/opt/splunk/bin/splunk cmd python "/opt/splunk/etc/apps/TA_te/bin/tripwire.py" -s "10.20.12.24" -u "yyyyyy" -p "xxxxxxxxxxxx" report -T "DCR" -t detailedchanges_rpt -P BooleanCriterion,currentVersionsOnly,false,displayUsers,true,displayCriteriaAtEnd,true,showContentDiff,true:RelativeTimeRangeCriterion,229,day,"In the last 229 day" -F CSV -o "/opt/teexports/FIM/tmp/DCR-hist.csv"' returned non-zero exit status 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After reviewing the tripwire_fim.py script, I realized it was looking for a firstrun_fim.txt file as a condition to execute. There's already a firstrun_scm.txt so I manually created firstrun_fim.txt. That's all you need to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After reviewing the tripwire_fim.py script, I realized it was looking for a firstrun_fim.txt file as a condition to execute. There's already a firstrun_scm.txt so I manually created firstrun_fim.txt. That's all you need to do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This worked for me as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the file the command in line 10 exist? /opt/teexports/FIM/tmp/DCR-hist.csv
If so, I would try running that command manually from the command line:
/opt/splunk/bin/splunk cmd python "/opt/splunk/etc/apps/TA_te/bin/tripwire.py" -s "10.20.12.24" -u "yyyyyy" -p "xxxxxxxxxxxx" report -T "DCR" -t detailedchanges_rpt -P BooleanCriterion,currentVersionsOnly,false,displayUsers,true,displayCriteriaAtEnd,true,showContentDiff,true:RelativeTimeRangeCriterion,229,day,"In the last 229 day" -F CSV -o "/opt/teexports/FIM/tmp/DCR-hist.csv"'
Failed to find object in database from line 1 also suggests that either there's no FIM data objects stored, there's a credential issue with the SOAP API, or possibly the relative time range is too large. If you have access to the Tripwire API docs, it might give further insight. If this is a Tripwire-supported application, you should also check with their forums and support team.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the file does exist:
total 0
-rw-------. 1 splunk splunk 0 Nov 2 13:10 DCR-hist.csv
Running the command directly resulted the following errors:
Traceback (most recent call last):
File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 540, in
main() File "/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 58, in main
xml = client.report(args.title, args.type, params) File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 501, in report
return self._attachment(self._do_soap('report',
args, parseresult=False)) File
"/opt/splunk/etc/apps/TA_te/bin/tripwire.py",
line 482, in _attachment
raise Exception(ET.tostring(fault))
Exception: xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/">SOAP-ENV:ClientFailed
to find object in database
(CONTENTS), id =
-9223372036298495233 />***
So it does appear to be a missing object from the database. What can I do to fix it? The weird thing is, I have installed the same app on an all-in-one instance, with the same credential for Tripwire and it can get both FIM and SCM data without any issues. Tripwire has very little documentation on this app except a one page installation instructions. The Tripwire support says they are not responsible for this app, Splunk is, which is denied by Splunk. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would point them at this web page, and ask them why they are advertising and distributing it via their web site if it's not supported.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
