Solved: Re: OPSEC LEA 2.0 Issue with auth keys

kenth · ‎03-17-2013

I am getting the following errors. I am guessing its because somehow its not able to retrieve the auth keys in $HOME/.splunk ... the documentation says diddlysquat about this. Anyone figured this out?

DEBUG: LOGGRABBER configuration file is: /opt/splunk/etc/apps/splunk_opseclea/bin/fw1-loggrabber.conf
DEBUG: function logging_init_env
DEBUG: function open_screen
DEBUG: Open connection to screen.
DEBUG: Logfilename : fw.log
DEBUG: Record Separator : |
DEBUG: Resolve Addresses: No
DEBUG: Show Filenames : No
DEBUG: FW1-2000 : No
DEBUG: Online-Mode : No
DEBUG: Audit-Log : No
DEBUG: Show Fieldnames : Yes
DEBUG: function get_fw1_logfiles
splunk internal call command: $SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
splunk output: QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>

call not properly authenticated

splunkd request failed, 401:
$SPLUNK_HOME/bin/splunk _internal call /servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP
QUERYING: 'https://127.0.0.1:8089/servicesNS/nobody/splunk_opseclea/opsec/opsec_conf/CP'
FAILED: 'HTTP/1.1 401 Unauthorized'
Content:
<?xml version="1.0" encoding="UTF-8"?>

call not properly authenticated

ERROR: unable to get splunk lea config arguments
DEBUG: function exit_loggrabber
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
DEBUG: function free_lfield_arrays
DEBUG: function free_afield_arrays
[root@sbidcsplfwd-slog01 bin]#

dart · ‎03-18-2013

Further to my comment - to run this manually you need to:

SPLUNK_TOK=$auth_key
export SPLUNK_TOK

And to get the auth key:

curl -k -u admin:pass https://localhost:8089/services/auth/login   \
 -d username=admin -d password=pass

View solution in original post

dart · ‎03-18-2013

Further to my comment - to run this manually you need to:

SPLUNK_TOK=$auth_key
export SPLUNK_TOK

And to get the auth key:

curl -k -u admin:pass https://localhost:8089/services/auth/login   \
 -d username=admin -d password=pass

kenth · ‎03-18-2013

Actually I get nothing in $HOME when I run it with curl, but only if I do "splunk login".

Is it sufficient to leave passAuth = admin ?

kenth · ‎03-18-2013

Would this be the same when running inside Splunk? What directory would that be then? I suppose that would be under the user running splunk. So /home/splunk/.splunk would be $HOME....

Actually I am running as root and I am able to get credentials written to $HOME/.splunk when I manually run the curl command.

araitz · ‎03-18-2013

If splunkd is restarted, a new session key will be provided by passAuth. The problem is that your $HOME directory is not writable. Without a writable $HOME, splunk cannot store any session information on the command line.

kenth · ‎03-18-2013

I get the same error when it runs as a scripted input aswell

kenth · ‎03-18-2013

And what if splunkd is restarted?

araitz · ‎03-18-2013

This is correct, we assume that we are running as a scripted input in the Splunk runtime and that passAuth is providing us a valid Splunk session key.

dart · ‎03-18-2013

How are you testing this? The command needs to be able to get data from Splunk's API and expects to be called by Splunk which will pass in credentials. This doc runs through the options for enabling debug logging: http://docs.splunk.com/Documentation/OPSEC-LEA/latest/Install/Enabledebugging

OPSEC LEA 2.0 Issue with auth keys

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk