remg427
commented
5 years ago Error might be related to non existing th_instance (i.e. input created when setting up the app)
Closed sunghhong closed 5 years ago
remg427
commented
5 years ago Error might be related to non existing th_instance (i.e. input created when setting up the app)
sunghhong
commented
5 years ago Hello, So, do I need to clone the new versjon and install it? Just wondering what I need to do. I previously installed it from splunk website. Your advice is appreciated! Thanks Sung
On Saturday, September 28, 2019, 2:55 PM, Rémi Séguy notifications@github.com wrote:
Closed #20 via #21.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
remg427
commented
5 years ago Hello, on master repo, you can download the tar.gz which is the app itself I have also published on splunkbase
-- Sent with K-9 Mail.
sunghhong
commented
5 years ago Thank you so much!
On Sunday, September 29, 2019, 4:00 AM, Rémi Séguy notifications@github.com wrote:
Hello, on master repo, you can download the tar.gz which is the app itself I have also published on splunkbase
-- Sent with K-9 Mail. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
sunghhong
commented
5 years ago Hello,
I installed the latest version. I am now getting the following error. Any idea? Thanks
2019-09-30 16:20:03,181 ERROR pid=1897 tid=MainThread file=cim_actions.py:message:238 | sendmodaction - signature="FATAL Results file exists but could not be opened/read" action_name="create_alert_entry_in_thehive" search_name="client IP" sid="scheduleradminsearch__RMD5736e1990ff848890_at_1569874800_19" rid="0" app="search" user="admin" action_mode="saved" action_status="failure"
On Sunday, September 29, 2019, 7:00:34 AM EDT, Rémi Séguy notifications@github.com wrote:
Hello, on master repo, you can download the tar.gz which is the app itself I have also published on splunkbase
-- Sent with K-9 Mail. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
remg427
commented
5 years ago Hello, Access rights to the result file. -- Sent with K-9 Mail.
sunghhong
commented
5 years ago I was looking for the result file as indicated in the code. But, I could not find it. Since the same code base (TA-thehive) is writing the result file presumably, it is odd that it is complaining the access rights to the file. Any idea how to report the filename and its location through logging. Maybe, that might help. So that I could look at the file and check its access permission. Any idea what file permission is expected by the code to read the file?
Your help is appreciated.
On Monday, September 30, 2019, 11:10 PM, Rémi Séguy notifications@github.com wrote:
Hello, Access rights to the result file. -- Sent with K-9 Mail. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.
remg427
commented
5 years ago Error message comes from https://github.com/remg427/TA-thehive/blob/master/TA-thehive/bin/ta_thehive_create_alert/modalert_create_alert_entry_in_thehive_helper.py
Here you may add a line to log filename. I will update code in future version
-- Sent with K-9 Mail.
Thrawn-Smith
commented
4 years ago Hello there,
After adding a line to log filename, it appears to be : /opt/splunk/var/run/splunk/dispatch/scheduleradminsearch__RMD55b93bedb02789909_at_1588757400_346/results.csv.gz
with some search, the file exists, but it belongs to root. Permissions are similar to other directories, so nothing incorrect in permission positioning.
On my Splunk instance.
Could you help us to work with your very useful TA ?
Any help appreciated ! 👍 V
Hello,
I installed your plug in and setup the connection to https version of thehive. After I configured an alert action in the splunk, I am getting the following errors in "create_alert_entry_in_thehive_modalert.log". I am not sure where to look to address this proroblem. Your advice is very appreciated!
2019-09-27 17:15:05,296 INFO pid=9125 tid=MainThread file=cim_actions.py:message:238 | sendmodaction - signature="Alert action create_alert_entry_in_thehive started." action_name="create_alert_entry_in_thehive" search_name="CAR-2016-03-002: Create Remote Process via WMIC" sid="scheduleradminsearchRMD5a4366f281d2cf22f_at_1569618900_57" rid="0" app="search" user="admin" action_mode="saved" action_status="success" 2019-09-27 17:15:05,296 INFO pid=9125 tid=MainThread file=cim_actions.py:message:238 | sendmodaction - signature="stanza_name=connector_to_thehive_instance://https://10.206.53.21:9443" action_name="create_alert_entry_in_thehive" search_name="CAR-2016-03-002: Create Remote Process via WMIC" sid="scheduleradminsearchRMD5a4366f281d2cf22f_at_1569618900_57" rid="0" app="search" user="admin" action_mode="saved" action_status="success" 2019-09-27 17:15:05,296 ERROR pid=9125 tid=MainThread file=cim_actions.py:message:238 | sendmodaction - signature="Unexpected error: local variable 'thehiveconf' referenced before assignment." action_name="create_alert_entry_in_thehive" search_name="CAR-2016-03-002: Create Remote Process via WMIC" sid="scheduleradminsearch__RMD5a4366f281d2cf22f_at_1569618900_57" rid="0" app="search" user="admin" action_mode="saved" action_status="failure"