search

rba-community / TA-opnsense

Splunk Add on for OPNsense firewall
https://ta-opnsense.rba.community
Apache License 2.0
1 stars 1 forks source link

Modular Inputs inundating splunkd.log with WARN get_password failed messages #94

Closed bmorgenthaler closed 1 year ago

bmorgenthaler commented 1 year ago

Bug description

Running the latest version of the TA and Splunk 9.0.5 my splunkd.log is being inundated with WARN messages get_password failures. Interestingly enough I do appear to be pulling package and other information in through the API. I notice it says user=proxy but no proxy is configured for the Input.

07-01-2023 10:30:02.302 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last):
07-01-2023 10:30:02.303 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}:   File "/opt/splunk/etc/apps/TA-opnsense/bin/ta_opnsense/aob_py3/solnlib/utils.py", line 128, in wrapper
07-01-2023 10:30:02.304 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}:     return func(*args, **kwargs)
07-01-2023 10:30:02.304 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}:   File "/opt/splunk/etc/apps/TA-opnsense/bin/ta_opnsense/aob_py3/solnlib/credentials.py", line 133, in get_password
07-01-2023 10:30:02.304 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}:     f"Failed to get password of realm={self._realm}, user={user}."
07-01-2023 10:30:02.304 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#TA-opnsense#configs/conf-ta_opnsense_settings, user=proxy.
07-01-2023 10:30:02.304 -0500 ERROR PersistentScript [4002261 PersistentScriptIo] - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-opnsense/bin/TA_opnsense_rh_settings.py persistent}: .

Related links

TA-opnsense Version

1.5.3

Splunk Version

9.0.5

OPNsense Version

23.1.9

ZachChristensen28 commented 1 year ago

Hello!

I haven't been able to replicate this. Do you currently have a proxy configured and enabled in the add-on settings?

bmorgenthaler commented 1 year ago

Nope, no proxy is enabled or configured.

image
ZachChristensen28 commented 1 year ago

Strange.

Looking at this line in your WARN log: __REST_CREDENTIAL__#TA-opnsense#configs/conf-ta_opnsense_settings:

If you have access to the command line for this instance, can you check the file $SPLUNK_HOME/etc/apps/TA-opnsense/local/passwords.conf to see if you see a stanza that looks something like this: [credential:__REST_CREDENTIAL__#TA-opnsense#configs/conf-ta_opnsense_account:proxy]

After, would you also just hit the "Save" button on the proxy setting page to see if that will reload the proxy config?

bmorgenthaler commented 1 year ago

Checking $SPLUNK_HOME/etc/apps/TA-opnsense/local/passwords.conf and I do not have any proxy entries, the only two entries I have:

[credential:__REST_CREDENTIAL__#TA-opnsense#configs/conf-ta_opnsense_account:monitor``splunk_cred_sep``1:]
password = redacted

[credential:__REST_CREDENTIAL__#TA-opnsense#configs/conf-ta_opnsense_account:monitor``splunk_cred_sep``2:]
password = redacted
bmorgenthaler commented 1 year ago

Hit save, restarted Splunk, and the warnings still appear every 15 minutes (what I have the inputs set as for polling schedule).

ZachChristensen28 commented 1 year ago

This appears to be an issue with the Splunk Add-on builder scripts used to create this add-on. These scripts expect the proxy credentials to be configured.

I found a workaround to stop these errors from showing up: while leaving the proxy disabled, add a placeholder username and password to the proxy configuration settings page and hit save. No restart is required.

Let me know if this removes the error messages for you.

image

bmorgenthaler commented 1 year ago

Yep! That fixed it, I put bogus credentials in and nothing else and the warning disappeared.