Getinfo probe failed for external search command 'mispsight'

[J1mb0S1ic3]

We have confirmed connectivity of this app to our MISP instance, using command: | mispcollect misp_instance=Preprod eventid="81" endpoint="events"

We however try to run the command below: index= src= | regex src=\d+.\d+.\d+.\d+ | mispsight field=src misp_instance=Preprod

And we get an error: Streamed search execute failed because: Error in 'script': Getinfo probe failed for external search command 'mispsight'..

Looking in search.log we see the following: 06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [SI-101] logging level is set to DEBUG 06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [SI-102] PYTHON VERSION: 3.7.16 (default, Mar 22 2023, 01:29:27) 06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [GCC 9.2.0] 06-27-2023 13:45:54.091 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': GET request to https://127.0.0.1:8089/servicesNS/nobody/search/misp42splunk_instances (body: {}) 06-27-2023 13:45:54.235 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': Operation took 0:00:00.143451 06-27-2023 13:45:54.235 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D01] response.status=200 06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D02] instance_count=1 06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': [MC-PC-D03] single instance={'title': 'Preprod', 'id': 'https://127.0.0.1/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'updated': '1970-01-01T00:00:00+00:00', 'link': [{'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'alternate'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'list'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'edit'}, {'href': '/servicesNS/nobody/misp42splunk/misp42splunk_instances/Preprod', 'rel': 'remove'}], 'author': {'name': ''}, 'content': {'disabled': '0', 'eai:acl': {'app': 'misp42splunk', 'can_change_perms': '1', 'can_list': '1', 'can_share_app': '1', 'can_share_global': '1', 'can_share_user': '1', 'can_write': '1', 'modifiable': '1', 'owner': ['](', 'perms': {'read': ['*'], 'write': ['admin']}, 'removable': '1', 'sharing': 'global'}, 'eai:appName': 'misp42splunk', 'eai:userName': 'nobody', 'misp_key': '**', 'misp_url': '', 'misp_verifycert': '0', 'type': 'text/xml'}} 06-27-2023 13:45:54.236 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': GET request to https://127.0.0.1:8089/servicesNS/nobody/search/storage/passwords (body: {'count': -1, 'offset': 0}) 06-27-2023 13:45:54.249 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': Operation took 0:00:00.012962 06-27-2023 13:45:54.269 ERROR ScriptRunner [929833 localCollectorThread] - stderr from '/opt/splunk/bin/nsjail-wrapper /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/misp42splunk/bin/mispsight.py EXECUTE field=src misp_instance=Preprod': MispSightCommand.process finished under protocol_version=1

Is there a permissions issue or problem with the jailer that is running our mispsight.py script?

We have reported the same issue to splunk cloud support, will see what they say.

[J1mb0S1ic3]

I just had word from splunk support, they said our search head isnt part of a search head cluster, it's a standalone, and that is the reason for this error? Is anyone able to clarify if this is the case?

[remg427]

Hello thank you for using MISP42 What version do you use and also splunk version? I'll test again on my standalone Best Remi

Le 30 juin 2023 11:19:26 GMT+02:00, J1mb0S1ic3 @.***> a écrit :

I just had word from splunk support, they said our search head isnt part of a search head cluster, it's a standalone, and that is the reason for this error? Is anyone able to clarify if this is the case?

-- Reply to this email directly or view it on GitHub: https://github.com/remg427/misp42splunk/issues/236#issuecomment-1614379742 You are receiving this because you are subscribed to this thread.

Message ID: @.***> -- Sent with K-9 Mail.

[J1mb0S1ic3]

Hi, we are on splunk 9 in the cloud and the latest version of the MISP app 4.2.2.

[J1mb0S1ic3]

Hi, has any testing been completed with regards to this being only compatible with a SHC?