Hi all,
so I am always getting these error messages indicating that the threat-intel download failed for all sources. This is absolutely ok, because the SH has no connection to the internet - what annoys me a little bit is that all these threat-intel sources are deactivated and I am still getting the errors.
In inputs.conf file i /opt/splunk/etc/apps/SA-ThreatIntelligence/local looks like this:
[threatlist://iblocklist_logmein]
disabled = 1
[threatlist://iblocklist_piratebay]
disabled = 1
[threatlist://iblocklist_proxy]
disabled = 1
[threatlist://iblocklist_rapidshare]
disabled = 1
[threatlist://iblocklist_spyware]
disabled = 1
[threatlist://iblocklist_tor]
disabled = 1
[threatlist://iblocklist_web_attacker]
disabled = 1
[threatlist://malware_domains]
disabled = 1
[threatlist://sans]
disabled = 1
[threatlist_manager://default]
disabled = 0
[threatlist://alexa_top_one_million_sites]
disabled = 1
[threatlist://icann_top_level_domain_list]
disabled = 1
[threatlist://mozilla_public_suffix_list]
disabled = 1
I do not see any Problem with this configuration but why do I still get the error messages?
Did I miss something?
Thank you !
If you're on version 4.5.0, the known issues may have a workaround for you. It's possible that the conf check is displaying errors even though the threat lists are not being accessed.
http://docs.splunk.com/Documentation/ES/4.5.0/RN/KnownIssues
search for SOLNESS-10559
If you're on version 4.5.0, the known issues may have a workaround for you. It's possible that the conf check is displaying errors even though the threat lists are not being accessed.
http://docs.splunk.com/Documentation/ES/4.5.0/RN/KnownIssues
search for SOLNESS-10559