search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] External search command 'thehivecases' returned error code 1 #38

Closed r4zr1 closed 1 year ago

r4zr1 commented 1 year ago

Hi @LetMeR00t I am having trouble identifying the issue. I have verified that the network connection from the Splunk search head cluster to TheHive instance over HTTPS is working properly. The Splunk version I am using is 9.0.2. How can I troubleshoot the problem?

There is python errors in search.log:

01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':  Traceback (most recent call last):
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 29, in <module>
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      (thehive, configuration, defaults, logger) = initialize_thehive_instance(keywords, settings ,logger_name="thehive_search_cases")
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 23, in initialize_thehive_instance
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return create_thehive_instance(instance_id, settings, logger)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 31, in create_thehive_instance
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      configuration = Settings(spl, settings, logger)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 28, in __init__
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.client.get("TA_thehive_cortex_settings/logging", owner="nobody", app=self.namespace, **self.query).body.read())["entry"][0]["content"]
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 291, in wrapper
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return request_fun(self, *args, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 72, in new_f
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      val = f(*args, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 697, in get
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      response = self.http.get(path, all_headers, **query)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1230, in get
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return self.request(url, { 'method': "GET", 'headers': headers })
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1292, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      response = self.handler(url, message, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1448, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      connection.request(method, path, body, head)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1281, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self._send_request(method, url, body, headers, encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.endheaders(body, encode_chunked=encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self._send_output(message_body, encode_chunked=encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.send(msg)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 976, in send
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.connect()
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1443, in connect
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      super().connect()
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 948, in connect
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      (self.host,self.port), self.timeout, self.source_address)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/socket.py", line 728, in create_connection
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      raise err
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/socket.py", line 716, in create_connection
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      sock.connect(sa)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':  ConnectionRefusedError: [Errno 111] Connection refused
01-13-2023 13:55:10.494 ERROR script [3149830 phase_1] - SearchMessage orig_component=script sid=_a29uc3RhbnRpbi5yYWZpa292_a29uc3RhbnRpbi5yYWZpa292_VEEtdGhlaGl2ZS1jb3J0ZXg__search7_1673618110.165_462BC5F6-182C-45C1-9803-D30771E5220B message_key=EXTERN:SCRIPT_NONZERO_RETURN__%s_%d_%s message=External search command 'thehivecases' returned error code 1. .
remg427 commented 1 year ago

Hello Splunk version 9.0.x introduced some changes and python lib request does not work well especially if connections use a proxy For another app i had to switch to urllib3 Remi

Le 13 janvier 2023 15:27:14 GMT+01:00, r4zr1 @.***> a écrit :

Hi @LetMeR00t I am having trouble identifying the issue. I have verified that the network connection from the Splunk search head cluster to TheHive instance over HTTPS is working properly. The Splunk version I am using is 9.0.2. How can I troubleshoot the problem?

There is python errors in search.log:

01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':  Traceback (most recent call last):
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py", line 29, in <module>
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      (thehive, configuration, defaults, logger) = initialize_thehive_instance(keywords, settings ,logger_name="thehive_search_cases")
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 23, in initialize_thehive_instance
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return create_thehive_instance(instance_id, settings, logger)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive.py", line 31, in create_thehive_instance
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      configuration = Settings(spl, settings, logger)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/common.py", line 28, in __init__
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.client.get("TA_thehive_cortex_settings/logging", owner="nobody", app=self.namespace, **self.query).body.read())["entry"][0]["content"]
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 291, in wrapper
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return request_fun(self, *args, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 72, in new_f
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      val = f(*args, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 697, in get
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      response = self.http.get(path, all_headers, **query)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1230, in get
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      return self.request(url, { 'method': "GET", 'headers': headers })
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1292, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      response = self.handler(url, message, **kwargs)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunklib/binding.py", line 1448, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      connection.request(method, path, body, head)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1281, in request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self._send_request(method, url, body, headers, encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.endheaders(body, encode_chunked=encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self._send_output(message_body, encode_chunked=encode_chunked)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.send(msg)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 976, in send
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      self.connect()
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 1443, in connect
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      super().connect()
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/http/client.py", line 948, in connect
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      (self.host,self.port), self.timeout, self.source_address)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/socket.py", line 728, in create_connection
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      raise err
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':    File "/var/lib/splunk/lib/python3.7/socket.py", line 716, in create_connection
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':      sock.connect(sa)
01-13-2023 13:55:10.479 ERROR ScriptRunner [3149830 phase_1] - stderr from '/var/lib/splunk/bin/python3.7 /var/lib/splunk/etc/apps/TA-thehive-cortex/bin/thehive_search_cases.py bb6fe840':  ConnectionRefusedError: [Errno 111] Connection refused
01-13-2023 13:55:10.494 ERROR script [3149830 phase_1] - SearchMessage orig_component=script sid=_a29uc3RhbnRpbi5yYWZpa292_a29uc3RhbnRpbi5yYWZpa292_VEEtdGhlaGl2ZS1jb3J0ZXg__search7_1673618110.165_462BC5F6-182C-45C1-9803-D30771E5220B message_key=EXTERN:SCRIPT_NONZERO_RETURN__%s_%d_%s message=External search command 'thehivecases' returned error code 1. .

-- Reply to this email directly or view it on GitHub: https://github.com/LetMeR00t/TA-thehive-cortex/issues/38 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

r4zr1 commented 1 year ago

I checked on a clean install of Splunk 9.0.3 in docker and it Runs smoothly( Seems that this problem is not related with 9.0.X versions

LetMeR00t commented 1 year ago

Hi Thank you for submitting your issue. Could you give me more context about your infrastructure ? Is it on Cloud or On premise ? Are you using a proxy ? First sight seems to be a network issue (maybe a firewall ?), but it seems that you were able to perform a curl request from the Splunk search head to your instance of TheHive… Are you using a custom certificate signed by a owned custom PKI ?

Did you tried to enable the debug mode to get more inputs about the error ? if you want to copy paste this here, please remove any sensitive information

Thank you

r4zr1 commented 1 year ago

Hi @LetMeR00t, The infrastructure is located on-premises and no proxy is being used. Splunk version 9.0.3 (has been upgraded from 9.0.2) and has a search head cluster installed in the /var/lib/splunk dir. Systemd Splunkd.service is running under the splunk user.

I'm able to perform curl, but when attempting to open the cases tab (execute thehive_search_cases.py), even there is no SYN packet to the hive host visible when using tcpdump on Splunk node.

A custom certificate signed by own CA is being used and Certificate verification=False. Attempts to append the CA to "$APP_FOLDER$/bin/ta_thehive_cortex/aob_py3/certifi/cacert.pem" as suggested in the README didn't change anything.

When the DEBUG mode is enabled, no changes are seen in the search.log, and the command_thehive_search_alerts.log and command_thehive_search_cases.log are remains empty.

Thanks in advance :pray:

LetMeR00t commented 1 year ago

Hi Thank you for your detailed feedback. That is weird, you shall saw logs within the search.log if the debug is enabled.

are you sure to not see any debug message within one of the searches you have in the dashboards ?

Did you checked the splunkd.log for any relevant information?

Do you have any error so far in the search when you run it or nothing ?

Thank you

r4zr1 commented 1 year ago

Hi! There seems to be an issue with our Splunk custom ports settings. Scripts are frequently accessing https://localhost:8089/ but there is no service running on that port. I think the issue can be closed. Thank you for your time :blush: