search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
47 stars 11 forks source link

[BUG] TheHive/Cortex 2.3.2 with Splunk 9.1.1 #92

Closed webfr closed 2 months ago

webfr commented 2 months ago

Request Type

Bug

Work Environment

Question Answer
RedHat 8.10
TheHive 2.3.2

Problem Description

Can't load Settings page: "Something went wrong!" Configuration page failed to load (ERR0002)

Steps to Reproduce

  1. Push addon 2.3.2 on Splunk Enterprise Search Head Cluster 9.1.1 (clustered)
  2. Open app
  3. Settings/Configuration

Possible Solutions

-

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

07-11-2024 11:05:34.421 +0200 ERROR AdminManagerExternal [25211 TcpChannelThread] - Unexpected error "<class 'splunktaucclib.rest_handler.error.RestError'>" from python handler: "REST Error [500]: Internal Server Error -- Traceback (most recent call last):\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 117, in wrapper\n for name, data, acl in meth(self, *args, *kwargs):\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 338, in _format_all_response\n self._encrypt_raw_credentials(cont["entry"])\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/handler.py", line 368, in _encrypt_raw_credentials\n change_list = rest_credentials.decrypt_all(data)\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/splunktaucclib/rest_handler/credentials.py", line 289, in decrypt_all\n all_passwords = credential_manager._get_all_passwords()\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/utils.py", line 153, in wrapper\n return func(args, **kwargs)\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/credentials.py", line 341, in _get_all_passwords\n return self._get_clear_passwords(passwords)\n File "/OPT/splunk/etc/apps/TA-thehive-cortex/bin/ta_thehive_cortex/aob_py3/solnlib/credentials.py", line 324, in _get_clear_passwords\n clear_password += field_clear[index]\nTypeError: can only concatenate str (not "NoneType") to str\n". See splunkd.log/python.log for more details.

Capture
webfr commented 2 months ago

Same issue with standalone Splunk 9.0.1 on test environment + latest version 3.3

LetMeR00t commented 2 months ago

Hello This kind of issue might come from an issue with the storage password on Splunk. Do you have any other application that is using the Configuration/Accounts on your Splunk instance to check if you don’t have the same issue as well ? Thank you

webfr commented 2 months ago

Hello This kind of issue might come from an issue with the storage password on Splunk. Do you have any other application that is using the Configuration/Accounts on your Splunk instance to check if you don’t have the same issue as well ? Thank you

Hello Alexandre, this might be possible we have another addon with account management (using passwords.conf) on heavyforwarder, not on same search head, do you think there is conflict?

Your addon is crucial for us as we need to push ES alerts to TheHive 4 so we hope you can help us quickly, thanks a lot for your help.

LetMeR00t commented 2 months ago

Hello This kind of issue might come from an issue with the storage password on Splunk. Do you have any other application that is using the Configuration/Accounts on your Splunk instance to check if you don’t have the same issue as well ? Thank you

Hello Alexandre, this might be possible we have another addon with account management (using passwords.conf) on heavyforwarder, not on same search head, do you think there is conflict?

Your addon is crucial for us as we need to push ES alerts to TheHive 4 so we hope you can help us quickly, thanks a lot for your help.

Hello No the storage password isn’t shared between Splunk Tiers so I’m pretty sure it’s not linked. Try first a complete reinstall of the addon by removing the folder, restarting the SH and installing the app again. If it’s continue to fail, try to look at the others applications installed on this same search head (be careful to be on the same search head and not another one from the cluster) that might have a default or local password.conf file that might generate this issue.

LetMeR00t commented 2 months ago

Oh maybe another thing to check ! The user accessing the storage password should have the capability in his role. Ensure to test it with an admin like account who should have the corresponding role.

webfr commented 2 months ago

Hi Alexandre, thanks for time spent already. I renamed passwords.conf from another addon TA-WALLIX_Bastion/default/passwords.conf and now Configuration finally opening! Big thanks.