I am getting the following errors. I am guessing its because somehow its not able to retrieve the auth keys in $HOME/.splunk ... the documentation says diddlysquat about this. Anyone figured this out?
DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/splunk_opseclea/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>
splunkd request failed, 401:
$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>
ERROR: unable to get splunk lea config arguments
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
[root@sbidcsplfwd-slog01 bin]#
Further to my comment - to run this manually you need to:
SPLUNK_TOK=$auth_key
export SPLUNK_TOK
And to get the auth key:
curl -k -u admin:pass https://localhost:8089/services/auth/login \
-d username=admin -d password=pass
Further to my comment - to run this manually you need to:
SPLUNK_TOK=$auth_key
export SPLUNK_TOK
And to get the auth key:
curl -k -u admin:pass https://localhost:8089/services/auth/login \
-d username=admin -d password=pass
Actually I get nothing in $HOME when I run it with curl, but only if I do "splunk login".
Is it sufficient to leave passAuth = admin ?
Would this be the same when running inside Splunk? What directory would that be then? I suppose that would be under the user running splunk. So /home/splunk/.splunk would be $HOME....
Actually I am running as root and I am able to get credentials written to $HOME/.splunk when I manually run the curl command.
If splunkd is restarted, a new session key will be provided by passAuth. The problem is that your $HOME directory is not writable. Without a writable $HOME, splunk cannot store any session information on the command line.
I get the same error when it runs as a scripted input aswell
And what if splunkd is restarted?
This is correct, we assume that we are running as a scripted input in the Splunk runtime and that passAuth is providing us a valid Splunk session key.
How are you testing this? The command needs to be able to get data from Splunk's API and expects to be called by Splunk which will pass in credentials. This doc runs through the options for enabling debug logging: http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Enabledebugging