Solved: Why is PassAuth Failing on Sophos Central app?

samhodgson · ‎06-05-2018

Hi, im having some problems getting a sessionkey when using the sophos endpoint app. Running the script manually using splunk cmd python bin/sophos_events.py and im jjust getting:

Did not receive a session key from splunkd. Please enable passAuth in inputs.conf for this script

My local/inputs.conf looks like this:

[script://opt/splunk/etc/apps/sophos_central/bin/sophos_events.py]
start_by_shell = false
disabled = false
interval = 300
sourcetype = sophos:central:event
passAuth   = splunk-system-user
index = sophos

I have also added passAuth = splunk-system-user to system/local/inputs.conf and added a commands.conf to the root folder of the app with:

[script://$SPLUNK_HOME/etc/apps/sophos_central/bin/sophos_events.py]
passauth = true
enableheaI'mr = true

I'm running this on an indexer in a non-clustered distributed environment. Nothing is being logged in var/log/splunk/python.log. The script actually just hangs when I run it until I hit enter and then I get the error. Running Splunk and executing the script as root. Really starting to do my head in if anyone can suggest anything it would be greatly appreciated!

samhodgson · ‎06-05-2018

This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!

View solution in original post

samhodgson · ‎06-05-2018

This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!

Why is PassAuth Failing on Sophos Central app?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms