search

PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
https://pan.dev/splunk/docs/
ISC License
106 stars 49 forks source link

Authentication process and credential encryption issues #334

Open jolszewski21 opened 4 months ago

jolszewski21 commented 4 months ago

Describe the bug

We are experiencing issues with authentication process, which result in the following errors: 1) "splunklib.binding.AuthenticationError: Autologin succeeded, but there was an auth error on the next request. Something is very wrong." 2) "splunklib.binding.HTTPError: HTTP 401 Unauthorized -- b'{"messages":[{"type":"WARN","text":"call not properly authenticated"}]}'"

Additionally, App fails to encrypt the credentials set within them.

Expected behavior

Getting data from Cortex XDR

Current behavior

Failing at the authentication level.

Your Environment

Oracle Linux Server release 9.1 Splunk Single Instance - Version 9.2.2 App version - 8.1.1

jolszewski21 commented 3 months ago

Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/modinput_wrapper/base_modinput.py", line 113, in stream_events self.parse_input_args(input_definition) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/modinput_wrapper/base_modinput.py", line 154, in parse_input_args self._parse_input_args_from_global_config(inputs) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/modinput_wrapper/base_modinput.py", line 173, in _parse_input_args_from_g lobal_config ucc_inputs = global_config.inputs.load(input_type=self.input_type) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunktaucclib/global_config/configuration.py", line 272, in load self._references = Configs(self._splunkd_client, self._schema).load() File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunktaucclib/global_config/configuration.py", line 345, in load config_entities = self._load_endpoint(config["name"], config["entity"]) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunktaucclib/global_config/configuration.py", line 189, in _load_endpoi nt RestHandler.path_segment(self._endpoint_path(name)), *query File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 299, in wrapper return request_fun(self, args, **kwargs) File "/opt/splunk/lib/python3.7/contextlib.py", line 130, in exit self.gen.throw(type, value, traceback) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 233, in _handle_auth_error raise AuthenticationError(msg, he) splunklib.binding.AuthenticationError: Autologin succeeded, but there was an auth error on next request. Something is very wrong.

2024-07-31 13:44:01,249 ERROR pid=1172289 tid=MainThread file=base_modinput.py:log_error:309 | Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 288, in wrapper return request_fun(self, *args, *kwargs) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 69, in new_f val = f(args, kwargs) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 684, in get response = self.http.get(path, all_headers, query) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 1197, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 1260, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- b'{"messages":[{"type":"WARN","text":"call not properly authenticated"}]}'

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 230, in _handle_auth_error yield File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 299, in wrapper return request_fun(self, *args, *kwargs) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 69, in new_f val = f(args, kwargs) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 684, in get response = self.http.get(path, all_headers, query) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 1197, in get return self.request(url, { 'method': "GET", 'headers': headers }) File "/opt/splunk/etc/apps/Splunk_TA_paloalto/bin/splunk_ta_paloalto/aob_py3/splunklib/binding.py", line 1260, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- b'{"messages":[{"type":"WARN","text":"call not properly authenticated"}]}'