Known Issues
The following are known issues and workarounds for this version of the Splunk App for Enterprise Security.
Highlighted issues
- On Splunk Enterprise version 6.1 and later, a Windows server can experience a crash when using
INDEXED_EXTRACTIONS
on introspection logs. (SPL-83975) (SOLNESS-5245)
- Workaround:
- Modify the content in
$SPLUNK_HOME/etc/apps/introspection_generator_addon/local/props.conf
and override the value forINDEXED_EXTRACTIONS
on all Windows search head and indexer instances.
[splunk_disk_objects]
INDEXED_EXTRACTIONS =
[splunk_resource_usage]
INDEXED_EXTRACTIONS =
- Restart Splunk Enterprise.
- The performance of CIDR-based lookups degrades when evaluating hundreds of subnets. (SOLNESS-4669)
- Workaround:
- Limit the asset and threat lists to using
/24
or smaller subnets.
- Users who install or upgrade TA-Bro will find that the add-on does not work by default. The command line will display warnings when you start Splunk Enterprise (ADDON-1104.)
- See the Splunk Add-on for Bro IDS Release Notes.
Hardware prerequisites
- The Splunk App for Enterprise Security may not run on virtualized machines with insufficient hardware. (SOLNESS-1118)
- Running Splunk Enterprise on Windows on under-provisioned virtualized hardware may cause Enterprise Security setup to fail. If the instance meets the virtualized hardware specifications, retry the setup if it fails the first time. (SOLNESS-4256)
- A dashboard view reports:
Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.
This is expected behavior when themax user processes
ulimit is too restrictive for the current load on the Splunk environment. See Errors about ulimit in splunkd.log in the Troubleshooting manual.
Upgrades
- During an upgrade of the Enterprise Security app, the installer will fail to create a backup of the existing Enterprise Security installation if the backup file size exceeds 2GB. The installer displays the error
ERROR - step:upgrade|Filesize would require ZIP64 extensions
. (SOLNESS-5490)
- Workaround:
- Find the large
CSV
lookup files and move them aside before running the Enterprise Security upgrade. Once the upgrade has completed, move theCSV
lookup files back.
Incident Review
- Contributing events from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. To workaround this issue, cancel the search and rerun with the desired time window. (SOLNESS-1784)
- The Incident Review dashboard feature does not work on the Solaris operating system. (SOLNESS-2508)
- The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is expected behavior set by a default in the
limits.conf
settingmax_events_per_bucket
, and can be changed as required. (SOLNESS-5072)
Configuration
- Clicking on a configuration item in the App Settings page takes the user to the Search Macros Manager page. The Cancel button does not work. The Save button takes the user to the list of macros in the Search Macros Manager page instead of back to the App Settings Configuration page. (SOLNPCI-375)
Dashboards
- When using the Threat List Activity dashboard, selecting an entry on the Recent Threat List Activity panel generates an error. (SOLNESS-5429)
Streamed search execute failed because: Error in 'lookup' command: The lookup table 'mozilla_public_suffix_lookup' does not exist."
- Workaround:
- Remove the blacklist entry for the lookup
mozilla_public_suffix.csv
. Navigate to$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local
and create a distsearch.conf file with the entry:
[replicationBlacklist] ## Allows replication of apps/SA-ThreatIntelligence/lookups/mozilla_public_suffix.csv nomozillasuffix =
- When working with individual Reports (Search > Reports), some drill down functionality may not produce desired behavior. This is dependent on the structure of the search, and the search commands being used. This should not affect shipped dashboards. If adding a report to ones own dashboard, for best results use Simple XML to define explicit drill down. (SOLNESS-4387)
- When using Advanced Threat dashboards, some dashboard views show a yellow warning sign triangle even if the view displays results. The warning reports:
Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv
Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv
- This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.
- Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel.
- See Per-Panel Filter Audit in the Enterprise Security Installation and Configuration Manual for more information. (SOLNESS-4631)
- Changing the title of an existing entity investigator or swimlane search will break all swimlane searches used on the same dashboard. Changing the title of the search back to the default will fix the display issue. (SOLNESS-5194)
Reports
- In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error: (SOLNESS-3536)
Error in 'tstats' command: This command is not supported in a real-time search.
- Workaround:
- Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.
- When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app. (SOLNESS-4387)
- Workaround:
- Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.
Inputs
- The timing of a modular input execution at startup can result in the error in the
splunkd.log
as a result of a missing file path (SOLNESS-5217).
ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py" File "/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookups.py", line 254, in get_temporary_file
ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py" os.mkdir(basedir)
ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py" OSError: [Errno 17] File exists: '/splunk/var/run/splunk/lookup_tmp'
- The threat list
emerging_threats_malvertisers_blocklist
has been obsoleted. The input has been removed from the available threat lists. (SOLNESS-4785)
- A threat list that is downloaded from an HTTPS URL may fail to download if proxy authentication is in use. Checking the
$SPLUNK_HOME/var/log/splunk/python_modular_input.log
shows an authentication failure:
2014-01-01 01:01:01,001 ERROR pid=4000 tid=download_an_ip_blocklist file=protocols.py:run:246 | Caught URLError when querying https://a.blosklist.hosting.site/blocklist.php?download=blocklist: reason=Tunnel connection failed: 407 Proxy Authentication Required exc=<urlopen error Tunnel connection failed: 407 Proxy Authentication Required>
- A patch to the Python libraries
httplib
andurlllib2
is required. Please contact Splunk Support and reference SOLNESS-5401. (SOLNESS-5401) - Once the files are obtained, follow the instructions below:
- 1. Stop the Splunk Enterprise services on the Enterprise Security search head.
- 2. Backup and replace the Python libraries
httplib
andurlllib2
in the$SPLUNK_HOME/lib/python2.7
directory with the copies provided. - 3. Restart the Splunk Enterprise services.
Search Head Pooling
- Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps resides on the pool and is no longer tied to the relative path $SPLUNK_HOME.
- Example:
SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv] disabled = true ## Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv] disabled = false index = _audit sourcetype = incident_review
Fixed Issues | Learn More and how to get help |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1.1
Feedback submitted, thanks!