ina9194
commented
1 year ago Has anyone found solution for this ? I'm having same issue
Open Sumanta88 opened 2 years ago
ina9194
commented
1 year ago Has anyone found solution for this ? I'm having same issue
Hi,
After installing and configuring the new updated version (2.0.3) in my heavy forwarder, I am still not able to get data indexed - From /opt/splunk/var/log/splunk/amp4e_events_input.log we have multiple PIKA exception warnings-
2022-07-06 16:09:01,655 WARNING Amp4eEvents - Connection error (1657120141.6558597, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:09:12,669 WARNING Amp4eEvents - Connection error (1657120152.6692934, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:09:23,682 WARNING Amp4eEvents - Connection error (1657120163.6827917, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:09:35,696 WARNING Amp4eEvents - Connection error (1657120175.6963594, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:09:49,714 WARNING Amp4eEvents - Connection error (1657120189.7144113, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:10:00,726 WARNING Amp4eEvents - Connection error (1657120200.7263784, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds 2022-07-06 16:10:11,742 WARNING Amp4eEvents - Connection error (1657120211.7426047, <class 'pika.exceptions.ConnectionClosed'>: The AMQP connection was closed: ('Connection to xx.xx.xx.xxx:443 failed: timeout',))! Reconnecting in about 3 seconds
Below are the files that are there in my local directory (/opt/splunk/etc/apps/amp4e_events_input/local) inputs.conf -
[amp4e_events_input://Cisco AMP] api_host = api.eu.amp.cisco.com api_id = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX api_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX event_types = 1090519054,553648143,2164260880,570425394,553648149,2164260884,2181038130,553648154,553648155,2164260892,2164260893,553648146,553648147,553648168,553648150,1090524040,1090524041,1090519081,1090519084,1107296261,1107296262,1107296263,1107296264,1107296266,1107296267,1107296268,1107296269,1107296270,1107296271,1107296272,1107296273,1107296274,1107296275,1107296276,553648173,2164260910,1107296277,1107296278,1107296279,1107296280,1107296281,1107296282,1107296285,1107296284,1107296283,1090519103,1090519105,1090519102,553648199,1090519112,1107296257,1107296258,553648222,553648225 event_types_names = Threat Detected (1090519054)---Threat Quarantined (553648143)---Quarantine Failure (2164260880)---Quarantine Restore Requested (570425394)---Quarantined Item Restored (553648149)---Quarantine Restore Failed (2164260884)---Quarantine Request Failed to be Delivered (2181038130)---Retrospective Restore from Quarantine (553648154)---Retrospective Quarantine (553648155)---Retrospective Restore from Quarantine Failed (2164260892)---Retrospective Quarantine Attempt Failed (2164260893)---Retrospective Restore of False Positive (553648146)---Retrospective Detection (553648147)---Execution Blocked (553648168)---Quarantine Restore Started (553648150)---APK Threat Detected (1090524040)---APK Custom Threat Detected (1090524041)---Rootkit Detection (1090519081)---DFC Threat Detected (1090519084)---Adobe Reader compromise (1107296261)---Microsoft Word compromise (1107296262)---Microsoft Excel compromise (1107296263)---Microsoft PowerPoint compromise (1107296264)---Adobe Reader launched a shell (1107296266)---Microsoft Word launched a shell (1107296267)---Microsoft Excel launched a shell (1107296268)---Microsoft PowerPoint launched a shell (1107296269)---Apple QuickTime compromise (1107296270)---Apple QuickTime launched a shell (1107296271)---Executed malware (1107296272)---Suspected botnet connection (1107296273)---Cloud IOC (1107296274)---Microsoft Calculator compromise (1107296275)---Microsoft Notepad compromise (1107296276)---File Fetch Completed (553648173)---File Fetch Failed (2164260910)---Connection to suspicious domain (1107296277)---Threat Detected in Low Prevalence Executable (1107296278)---Vulnerable Application Detected (1107296279)---Suspicious Download (1107296280)---Microsoft CHM Compromise (1107296281)---Suspicious Cscript Launch (1107296282)---Global Threat Alerts Event (1107296285)---Potential Ransomware (1107296284)---Possible Webshell (1107296283)---Exploit Prevention (1090519103)---Malicious Activity Detection (1090519105)---iOS Network Detection (1090519102)---Malicious Activity Block (553648199)---System Process Protection (1090519112)---Potential Dropper Infection (1107296257)---Multiple Infected Files (1107296258)---Threat Detection (553648222)---Fileless Threat Blocked (553648225) index = xxxxxxxxxx stream_name = Cisco AMP
server.conf [proxyConfig] HTTP_PROXY = outbound-service-proxy.gateway.xxxxxxxxxxxxxx:80 HTTPS_PROXY = outbound-service-proxy.gateway.xxxxxxxxxxxxxxxxx:80
indexes.conf [amp] coldPath = $SPLUNK_DB/amp/colddb enableDataIntegrityControl = 0 enableTsidxReduction = 0 homePath = $SPLUNK_DB/amp/db maxTotalDataSizeMB = 512000 thawedPath = $SPLUNK_DB/amp/thaweddb
app.conf [ui] is_visible = 1
[launcher]
[package] check_for_updates = 1
[install] is_configured = 1 state = enabled
Please help and let me know what needs to be done to fix this and get the data onboarded.