All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sophos Central app for Splunk: Data is not being pulled by the API

ssodhi
Explorer
‎10-17-2017 01:51 PM

anyone with the same issue?
Im not seeing anything being pulled by the API,
I have put the API info into the splunk addon.
alt text

Preview file
1 KB
0 Karma
Reply

ssodhi
Explorer
‎10-23-2017 04:20 PM

@nickhillscpl
we also need your help buddy.

0 Karma
Reply

ssodhi
Explorer
‎10-23-2017 04:20 PM

@nickhillscpl

0 Karma
Reply

denose
Explorer
‎10-22-2017 10:30 PM

First issue I had was with the firewall allowing calls out to the API.
Then I got some data in for sophos_events.py but it only seemed to run/work the first time that it was allowed. After that, I can see it run every 5 minutes but it isn't bringing in any new events.
Also the sophos_alerts.py has never brought in anything. I noticed that is was missing the Python header at the start of the file compared to the other script and also the first i in import command at the start of the script. Even after updating the file though I've got no alert events in.
Hopefully the author is following these threads and I can assist to debug.

Reply

ssodhi
Explorer
‎10-23-2017 10:46 AM

thanks for your reply,

I just reinstalled it and now I can't put the api info,
its giving me "Encountered the following error while trying to update: Error while posting to url=/servicesNS/nobody/sophos_central/storage/passwords/" error now.

hows your experience with sophos btw, ?
cheers

0 Karma
Reply

denose
Explorer
‎10-23-2017 06:16 PM

Hey, for that one I manually delete /opt/splunk/etc/apps/sophos_central/local/passwords.conf then restart Splunk. Also make sure permissions are fine but they should be. If not, create a passwords.conf there. Restart Splunk, go in and get the same error, delete it, restart Splunk and then hopefully you can save it this time.

As for Sophos, so far so good 🙂
We have used on-prem Enterprise Console for a few years and it has gotten quite old and not great but new Sophos Central seems quite good and useful. Just ramping up the roll-out now that we've tried it for a couple weeks in pilot and no major issues.
How do you find it?

0 Karma
Reply

ssodhi
Explorer
‎10-24-2017 10:34 AM

we never had any enterprise AV in place, this is our first time and we went with central cloud management right away... we have about 1000 assets.

I have seen couple services getting stopped here or there and I found out that there are issues with windows 10 updates but over all I don't see any issues that causing prod/sales losses. so like you said so far so good !! :)) I hope it stays that way.

0 Karma
Reply

denose
Explorer
‎10-22-2017 08:07 PM

I just had to allow out bound HTTPS and it worked.

Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...