All Apps and Add-ons

Sophos Central App for Splunk unable to make connection to API

att35
Builder

Hi,

We are trying to implement Sophos Central App for Splunk but it does not seem to estalbish a connection with Central API. After adding the credentials and restarting Splunk, there is no data being retrieved for the sourcetype = sophos:central:alert. All dashboard panels are blank.

In the logs, we see the following:

05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" No handlers could be found for logger "splunk.rest"
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Traceback (most recent call last):
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 91, in <module>
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     main()
05-10-2018 09:33:26.940 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 31, in main
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 13, in getCredentials
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
05-10-2018 09:33:26.941 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Exception: Could not get sophos_central credentials from splunk. Error: Splunkd daemon is not responding: ('Error connecting to /servicesNS/nobody/sophos_central/admin/passwords: [Errno 111] Connection refused',)
05-10-2018 09:34:57.075 -0400 INFO  ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py
05-10-2018 09:34:57.075 -0400 INFO  ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" Traceback (most recent call last):
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 87, in <module>
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"     main()
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 31, in main
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"     endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py", line 17, in getCredentials
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py"     if "central.sophos.com" in c['realm']:
05-10-2018 09:34:59.678 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_alerts.py" TypeError: argument of type 'NoneType' is not iterable
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" Traceback (most recent call last):
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 91, in <module>
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     main()
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 31, in main
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     endpoint, apiKey, auth = getCredentials(sessionKey)
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"   File "/opt/splunk/etc/apps/sophos_central/bin/sophos_events.py", line 17, in getCredentials
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py"     if "central.sophos.com" in c['realm']:
05-10-2018 09:34:59.896 -0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/sophos_central/bin/sophos_events.py" TypeError: argument of type 'NoneType' is not iterable

Another answer mentioned some corruption issues and suggested to re-add the authorization string to the "password" section of password.conf. https://answers.splunk.com/answers/606523/sophos-central-app-for-splunk-execprocessor-error.html?utm...

Did that but still same error. Also, we do not see the credentials getting loaded under https://Splunk_Indexer:8089/service/storage/passwords

How can we troubleshoot this further? Any ideas? Not sure if the issue is with the App or the way Splunk is storing the password..

Many Thanks,

~ Abhi

0 Karma
1 Solution

nickhills
Ultra Champion

Hi There, I am the original creator of this app.

I have just posed this notice as Sophos have released their own supported version of this App.

I am unable to easily support the old application as I no longer have access to a Sophos Central Subscription.
Thanks for your support, but your most reliable future path is probably with the new Sophos app as they will be able to better support you today and in the future.

If you have any questions, feel free to ask.
Happy Splunking

Nick

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills
Ultra Champion

Hi There, I am the original creator of this app.

I have just posed this notice as Sophos have released their own supported version of this App.

I am unable to easily support the old application as I no longer have access to a Sophos Central Subscription.
Thanks for your support, but your most reliable future path is probably with the new Sophos app as they will be able to better support you today and in the future.

If you have any questions, feel free to ask.
Happy Splunking

Nick

If my comment helps, please give it a thumbs up!

att35
Builder

Thanks Nick.

0 Karma

ccsfdave
Builder

Thanks Nick!

Again xpost -

Here is the links for the new Splunk Add-On:
https://splunkbase.splunk.com/app/4096/
https://splunkbase.splunk.com/app/4097/

0 Karma

davey1985
Explorer

What version of the app are you using? Someone else reported that the py file contained typos:

https://answers.splunk.com/answers/546351/error-in-script-sophos-alertspy-for-sophos-central.html

I noticed that I was not getting my
alert logs. I found that in Line #2 of
bin/sophos_alerts.py there was a
missing "i" for import.

Also had to remove the reverence to
'name' in the print line #87. FYI.

0 Karma

att35
Builder

Hi davey1985,

Thanks for the info. We are using the latest app available, i.e. 1.0.5. Also, I double checked those typos mentioned in that answer and they are no longer present in this latest version. So I am assuming some other issue..

Thanks,

~ Abhi

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...