Hi, im having some problems getting a sessionkey when using the sophos endpoint app. Running the script manually using splunk cmd python bin/sophos_events.py and im jjust getting:
Did not receive a session key from splunkd. Please enable passAuth in inputs.conf for this script
My local/inputs.conf looks like this:
[script://opt/splunk/etc/apps/sophos_central/bin/sophos_events.py]
start_by_shell = false
disabled = false
interval = 300
sourcetype = sophos:central:event
passAuth = splunk-system-user
index = sophos
I have also added passAuth = splunk-system-user to system/local/inputs.conf and added a commands.conf to the root folder of the app with:
[script://$SPLUNK_HOME/etc/apps/sophos_central/bin/sophos_events.py]
passauth = true
enableheaI'mr = true
I'm running this on an indexer in a non-clustered distributed environment. Nothing is being logged in var/log/splunk/python.log. The script actually just hangs when I run it until I hit enter and then I get the error. Running Splunk and executing the script as root. Really starting to do my head in if anyone can suggest anything it would be greatly appreciated!
This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!
This was because I was running it from the command line, apparently I would need to hard code the admin creds into the script to do this. Thanks to d3.iso on the slack channel for this info!