Improving BigFix integration with Splunk

rfjohns1 2019-11-15 21:51:47 UTC #21

this is a Splunk enterprise for Windows. Does this also apply to a Windows Server OS?

jmaple 2019-11-15 22:06:51 UTC #22

I believe it should. If you follow the same path but from a Windows perspective you should find the same file.

$SPLUNKHOME\etc\apps\TA-bigfix\bin\ta_bigfix\httplib2

rfjohns1 2019-11-15 22:45:19 UTC #23

Doesn’t seem to resole the issue:

2019-11-15 22:34:30,625 +0000 log_level=INFO, pid=4268, tid=Thread-4, file=xxxxx, func_name=request, code_line_no=169 | [stanza_name=“users”] Invoking request to [httpsxxxxxxxxxx/:52311/api/query?output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users] finished
2019-11-15 22:34:30,625 +0000 log_level=ERROR, pid=4268, tid=Thread-4, file=engine, func_name=_send_request, code_line_no=325 | [stanza_name=“users”] T**he response status=400 for request which url=httpsxxxxxxxxxx/:52311/api/query?**output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users and method=GET.
2019-11-15 22:34:30,625 +0000 log_level=INFO, pid=4268, tid=Thread-4, file=engine, func_name=_run, code_line_no=270 | [stanza_name=“users”] This job need to be terminated.

rfjohns1 2019-11-16 00:14:45 UTC #24

IT seems something is going on on the BigFix side

error: [Errno 10061] No connection could be made because the target machine actively refused it
2019-11-16 00:12:51,753 +0000 log_level=ERROR, pid=5924, tid=Thread-4, file=engine_py, func_name=_send_request, code_line_no=302 | [stanza_name=“users”] HTTPError reason=HTTP Error [Errno 10061] No connection could be made because the target machine actively refused it when sending request to url=https://xxxxxxxxxx:52311/api/query?output=json&relevance=%28%22name%3D%22+%26+name+of+it%2C+%22master_operator%3D%22+%26+master+flag+of+it+as+string%2C+%22action_count%3D%22+%26+number+of+issued+actions+of+it+as+string%2C+%22creation_time%3D%22+%26+creation+time+of+it+as+string%2C+%22last_login_time%3D%22+%26+%28if+%28exists+last+login+time+of+it%29+then+last+login+time+of+it+as+string+else+%22%22%29%29+of+bes+users method=GET

jmaple 2019-11-16 00:35:12 UTC #25

What version of BigFix are you running?

rfjohns1 2019-11-16 01:03:18 UTC #26

9.5.7.90.

I’m also asking the admin to verify the cert install and determine if I’m using the correct port.

rfjohns1 2019-11-16 18:58:48 UTC #27

The BigServer is not listening on 52311. The console is set to use 63422. The ports are using to communicate with clients are dpt=63422 spt=62998.

Also we are not using a BigFix relay. Is that needed?

CP [::]:135 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:443 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:445 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:1433 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:3389 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:8080 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:8442 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:47001 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:49664 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:49665 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:51168 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:51728 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:52593 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:52609 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:54376 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63052 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63054 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63422 xxxxxxxxxxxxxxx:0 LISTENING
TCP [::]:63426 xxxxxxxxxxxxxxx:0 LISTENING

jmaple 2019-11-16 19:10:15 UTC #28

No. The TA uses the REST API which is accessible via the server port which, in your case, sounds like it should be 63422. If you configure the TA to use that port, I imagine that should work.

rfjohns1 2019-11-16 19:23:39 UTC #29

I’m now getting http status code 401 (authentication failure). So that is progress! I’ll have the administrator verify permissions.

jmaple 2019-11-16 19:33:09 UTC #30

Glad you’re making progress.

The account needs to have specific capabilities enabled in the console. Specifically “Can use REST” and “Can see other user’s actions”. For security, I would recommend against using a console admin if it can be helped.

rfjohns1 2019-11-18 20:04:44 UTC #31

Just curious, I heard that Splunk DB Connect is an alternative to integrate for Splunk/BigFix integration. Are there advantages is using the REST based Connector?

jmaple 2019-11-18 20:12:05 UTC #32

After discussing the various options with people in-the-know, DBConnect is an option but if the schema changes during an upgrade, the DBConnect queries may no longer function and would need to be re-written. The REST API is less likely to have those types of changes made so once you develop the REST query, it shouldn’t need updating for a while unless something drastic happens.

rfjohns1 2019-11-19 22:12:52 UTC #34

All seems to be working fine. Thank you for the help.

Just wondering, do you have interesting dashboards that could go along with the T/A?

jmaple 2019-11-20 14:13:18 UTC #35

At the moment, the original app that was on Splunkbase is being revised to use the data this TA provides. But because the TA is getting re-done to scale better in larger environments, that’s on hold until the data collection is ironed out.

However, any suggestions on dashboards you’d like to see would be helpful as well.

rfjohns1 2019-11-20 18:35:14 UTC #36

thanks, These dashboards look interesting. I will try to provide some feedback once we discuss in them team

rfjohns1 2019-11-20 18:36:30 UTC #37

Does the TA use a checkpoint? IF so, how could I validate that it is working?

Thanks!

jmaple 2019-11-21 00:04:22 UTC #38

At the moment the TA doesn’t use any checkpoints. Most of the time it’s because there isn’t a timestamp in all events to key in on during every query. So, for now, it’s a query of everything on an interval.

rfjohns1 2019-11-21 16:37:13 UTC #39

I spotted this error in the App under the “OverView” tab, top frame.

I did manually delete the old version prior to installing the new App.

ServerSideInclude Module Error!
Splunk has failed to locate the template for uri ‘/APP/splunk_app_for_bigfix-master/appserver/static/BigFixSearch.html’.

jmaple 2019-11-21 16:43:26 UTC #40

The issue here is the same as the TA. You need to remove the “-master” from the app parent directory.

rfjohns1 2019-11-21 17:07:59 UTC #42

that seemed to fix that issue. However produced a new error.

Other then that top pane it seems to be working.

ServerSideInclude Module Error!
Splunk has failed to locate the template for uri ‘/APP/splunk_app_for_bigfix/appserver/static/BigFixSearch.html’.