I installed the app CrowdStrike Falcon Intelligence Add-on on our Splunk heavy forwarder. I attempted to configure it, but the configure page doesn't load at all. When I check the browser's console, I see:
External handler failed with code '1' and output: 'REST ERROR[1021]: Fail to decrypt the encrypted credential information - cannot concatenate 'str' and 'NoneType' objects'. See splunkd.log for stderr output.
From splunkd.log:
06-01-2020 11:46:55.999 +0000 ERROR AdminManagerExternal - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/handler.py", line 113, in wrapper
for name, data, acl in meth(self, *args, **kwargs):
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/handler.py", line 299, in _format_response
masked = self.rest_credentials.decrypt_for_get(name, data)
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/credentials.py", line 184, in decrypt_for_get
clear_password = self._get(name)
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/splunktaucclib/rest_handler/credentials.py", line 389, in _get
string = mgr.get_password(user=context.username())
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/utils.py", line 154, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/credentials.py", line 118, in get_password
all_passwords = self._get_all_passwords()
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/utils.py", line 154, in wrapper
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/TA-crowdstrike_falcon_intel/bin/ta_crowdstrike_falcon_intel/solnlib/credentials.py", line 272, in _get_all_passwords
clear_password += field_clear[index]
TypeError: cannot concatenate 'str' and 'NoneType' objects
". See splunkd.log for more details.
I tried installing the app on my local trial version of Splunk Enterprise, and the configure page loads, and I'm able to add the streaming API key and secret successfully.
I tried being hacky and copying my local passwords.conf file onto the heavy forwarder server in the same path/location, and making sure the file permissions were the same, to no avail. The config page still doesn't load, and the app still isn't configured.
What am I missing?
(Updated: My bad, there are multiple CrowdStrike issues.)
... View more