search

LetMeR00t / TA-thehive-cortex

Technical add-on for Splunk related to TheHive/Cortex from TheHive project
GNU Lesser General Public License v3.0
49 stars 11 forks source link

[BUG] Adaptative response random error code 48 from Splunk SHC (cluster) #94

Closed webfr closed 2 months ago

webfr commented 4 months ago

Request Type

Bug

Work Environment

RedHat 8.10 TheHive 2.3.2

Problem Description

Hello, following advices from https://github.com/LetMeR00t/TA-thehive-cortex/issues/67 to sync conf files - getting errors

2024-07-15T17:17:15.705+02:00,s303lfaXXX1,48,"07-15-2024 17:17:15.705 +0200 WARN sendmodalert [47394 AlertNotifierWorker-21] - action=thehive_create_a_new_alert - Alert action script returned error code=48"

Only 1 of 3 of search heads can create alerts to TheHive 4 with addon 2.3.2 We are contacting haproxy vip for your information.

From one of failing search heads : cat /OPT/splunk/var/log/splunk/command_thehive_search_alerts.log 2024-07-15 12:46:54,356 WARNING thehive:142 - [TH48] THE_HIVE_PROXY_ERROR - It seems that the connection to the proxy has failed. Proxy information are: None. Complete error: Error: HTTPSConnectionPool(host='thehive.XXX.XX', port=443): Max retries exceeded with url: /api/case/_search?range=all (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 403 Forbidden')))

Thanks.

Steps to Reproduce

  1. Push addon 2.3.2 on Splunk Enterprise Search Head Cluster 9.1.1 (clustered)
  2. Follow instructions for SHC at https://github.com/LetMeR00t/TA-thehive-cortex/issues/67
  3. Configure the addon

Possible Solutions

-

Logs (issued from the search.log with logging mode set to DEBUG under Settings/Configuration)

No relevant info so showing splunkd.log : "07-15-2024 17:17:15.705 +0200 WARN sendmodalert [47394 AlertNotifierWorker-21] - action=thehive_create_a_new_alert - Alert action script returned error code=48"

webfr commented 4 months ago

Hello, looks like this is due to addon failing to read encrypted credential, it works using clear-text in passwords.conf

07-17-2024 14:28:21.721 +0200 WARN PasswordHandler [38267 TcpChannelThread] - Unable to decrypt passwords.conf/[credential:__REST_CREDENTIAL__#TA-thehive-cortex#configs/conf-ta_thehive_cortex_account:service_thehivesplunk_cred_sep2:]/password

webfr commented 4 months ago

UPDATE : repushing addon from deployer with SH encrypted credentials in local/passwords.conf to solve the issue, it seems.

webfr commented 4 months ago

This was edited by colleague then it worked after pushing new confs:

[splunk.es@XXXmgt1 /OPT/splunk/etc/shcluster/apps/TA-thehive-cortex/local]$ cat passwords.conf [credential:__REST_CREDENTIAL__#TA-thehive-cortex#configs/conf-ta_thehive_cortex_account:service_thehivesplunk_cred_sep1:] password = $7xxx

[credential:__REST_CREDENTIAL__#TA-thehive-cortex#configs/conf-ta_thehive_cortex_account:service_thehivesplunk_cred_sep2:] password = $7xxx

[splunk.es@XXXmgt1 /OPT/splunk/etc/shcluster/apps/TA-thehive-cortex/local]$ cat app.conf [launcher] version = 2.3.3 [splunk.es@XXXmgt1 /OPT/splunk/etc/shcluster/apps/TA-thehive-cortex/local]$ cat addon_builder.conf

# this file is generated by add-on builder automatically
# please do not edit it

[base] builder_version = 4.1.1 builder_build = 0 is_edited = 1