Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Known Issues

The following are issues and workarounds for this version of the Splunk App for Enterprise Security.

Highlighted issues

Publication date Defect number Description
2015-04-22 SOLNESS-6664 Do not disable or upgrade Enterprise Security unless the search head is running on Splunk Enterprise version 6.2.3. Disabling the SplunkEnterpriseSecuritySuite or SA-ThreatIntelligence apps, or upgrading the Splunk App for Enterprise Security to version 3.2.2 removes all data collected in the KVStore collections. The KVStore collection data in those apps includes Notable Event status changes created on the Incident Review dashboard.
3.2.1
Some workflow actions have been removed from this release of the Enterprise Security App. For information about creating new workflow actions, see "Create and maintain workflow actions in Splunk Web" in the Splunk Enterprise Knowledge Manager Manual.
3.2.1
Immediately after upgrading the Enterprise Security app, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
Pre-3.2 CIM-169 After installing the Enterprise Security app, the splunkd.log displays a warning message:
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13359 - data_source="/opt/splunk/var/log/splunk/remote_searches.log", data_host="nom_nom_nom", data_sourcetype="splunkd_remote_searches"

Workaround: Disable truncation on the indexers using the props.conf:

[splunkd_remote_searches]

TRUNCATE = 0

2015-03-12 SOLNESS-6297 The Extreme Search command xsWhere has a memory leak that can leave the search head memory constrained.

Dashboards

Publication date Defect number Description
Pre-3.2 SOLNESS-4387 When working with individual Reports (Search > Reports), some drill down functionality may not produce desired behavior. This is dependent on the structure of the search, and the search commands being used. This should not affect shipped dashboards. If adding a report to ones own dashboard, for best results use Simple XML to define explicit drill down.
Pre-3.2 SOLNESS-5752 When using the Account Management dashboard to view Account Lockouts, a drilldown to investigate events runs slowly. This is expected behavior. A drilldown will run a historical search across all events in a data model, where the dashboard view uses only accelerated data for faster visual response.
Pre-3.2 SOLNESS-4631 When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:

Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv

Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.

Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. See "Per-Panel Filter Audit" in the Enterprise Security Installation and Configuration Manual for more information.

2014-11-19 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.

Hardware prerequisites

Publication date Defect number Description
Pre-3.2 SOLNESS-4256 Running Splunk Enterprise on Windows with under-provisioned virtualized hardware may cause Enterprise Security setup to fail. If the instance meets the "virtualized hardware" specifications, retry the setup if it fails the first time.
Pre-3.2
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.

This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.

Incident Review

Publication date Defect number Description
Pre-3.2 SOLNESS-1784 Contributing events from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. To workaround this issue, cancel the search and rerun with the desired time window.
Pre-3.2 SOLNESS-2508 The Incident Review dashboard feature does not work on the Solaris operating system.
Pre-3.2 SOLNESS-5072 The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2015-03-11 SOLNESS-6376 Disabling a field action through the workflow_actions.conf will not remove the workflow action from the Incident Review dashboard.

Workaround: In the fields setting of the disabled workflow stanza, remove the asterisk and replace it with random text.

2015-05-26 SOLNESS-6878 When saving the changes to a selection of more than 1000 notable events, the update will fail with the error The update failed:ResultSet.iter – timed out while waiting on data; expected 100 events, only got 0; count=xxxx.
This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.

Inputs

Publication date Defect number Description
Pre-3.2 SOLNESS-4785 The threat list emerging_threats_malvertisers_blocklist has been obsoleted]. The input has been removed from the available threat lists. For more details see the notice at the threat list site (http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules).
Pre-3.2 SOLNESS-4254 While configuring or editing a modular input for a threat list, the "Interval" parameter cannot be specified through the UI.

Workaround: Configure all other input parameters through the UI, and change the run "Interval" from the command line.

Pre-3.2 SOLNESS-5401 A threat list download attempt from an HTTPS URL may fail to download if proxy authentication is in use. Checking the $SPLUNK_HOME/var/log/splunk/python_modular_input.log shows an authentication failure:

2014-01-01 01:01:01,001 ERROR pid=4000 tid=download_an_ip_blocklist file=protocols.py:run:246 | Caught URLError when querying https://a.blosklist.hosting.site/blocklist.php?download=blocklist: reason=Tunnel connection failed: 407 Proxy Authentication Required exc=<urlopen error Tunnel connection failed: 407 Proxy Authentication Required>

A patch to the Python libraries httplib and urlllib2 is required. Please contact Splunk Support and reference SOLNESS-5401.

After the files are obtained, follow the instructions below:
1. Stop the Splunk Enterprise services on the Enterprise Security search head.
2. Backup and replace the Python libraries httplib and urlllib2 in the $SPLUNK_HOME/lib/python2.7 directory with the copies provided.
3. Restart the Splunk Enterprise services.
2015-03-25 SOLNESS-6474 A threat intelligence download script fails to create HTTPPasswordMgr due to missing uri parameter. Checking the $SPLUNK_HOME/var/log/splunk/splunkd.log shows an error:

03-25-2015 01:01:01.312 -0700 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py" TypeError: 'NoneType' object is not utterable

Reports

Publication date Defect number Description
Pre-3.2 SOLNESS-3536 In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:

Error in 'tstats' command: This command is not supported in a real-time search.

Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.

Pre-3.2 SOLNESS-4387 When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app.

Workaround: Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.

2015-01-15 SOLNESS-6054 The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:

index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"

2015-04-24 SOLNESS-6670 When the correlation search Potential Gap in Data is enabled, the search will report false positive matches.
Workaround: Update the contents of the search.
Browse to Configure > General > Custom Searches.
Search for "Potential Gap in Data" and select the search.
Select the link to "Edit search manually"
Update the contents of the "Search" field with:
| datamodel "Splunk_Audit" "Scheduler_Activity" search | where 'Scheduler_Activity.status'="success" AND ('Scheduler_Activity.app' LIKE "Splunk_%" OR 'Scheduler_Activity.app' LIKE "SA-%" OR 'Scheduler_Activity.app' LIKE "DA-%" OR 'Scheduler_Activity.app'="SplunkEnterpriseSecuritySuite" OR 'Scheduler_Activity.app'="SplunkPCIComplianceSuite") | stats count | where 'count'=0 | eval const_dedup_id="const_dedup_id"
2016-05-23 SOLNESS-9420
Extreme search causing multiple core dump files
Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:
| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count

Search Head Clustering

Publication date Defect number Description
3.2.1 SPL-94414 The server.conf [kvstore] stanza will not accept environment variables in the caCertPath parameter.

Workaround: The server.conf file on the cluster members must reference the full path to the local certificates:

[kvstore]
caCertPath = /opt/splunk/etc/auth/cacert.pem
sslKeysPassword = password
sslKeysPath = /opt/splunk/etc/auth/server.pem
2015-01-09 SPL-94522 Search head cluster caches in-memory jobs, leading to increasing memory growth.

Workaround: Reduce the status_cache_size in the limits.conf file on the cluster members.

[search]
# the number of search job metadata to cache in RAM
status_cache_size = 2000
2015-03-04 SOLNESS-6315 The localprocess_tracker.csv file can grow too large for successful replication.
Error:lookup_table_file="/opt/splunk/etc/apps/SA-EndpointProtection/lookups/localprocesses_tracker.csv": Non-200 status_code=413: Content-Length of 1567337721 too large (maximum is 838860800)

Workaround: Update the [Endpoint - Local Processes Tracker - Lookup Gen] search in $SPLUNK_HOME$/etc/apps/SA-EndpointProtection/default/savedsearches.conf:

search = | tstats `summariesonly` min(_time) as firstTime,max(_time) as lastTime from datamodel=Application_State where nodename=All_Application_State.Processes by All_Application_State.dest,All_Application_State.process | `drop_dm_object_name("All_Application_State")` | inputlookup append=T localprocesses_tracker | rex field=process "(?<process>[^\s]+)" | stats min(firstTime) as firstTime,max(lastTime) as lastTime by dest,process | outputlookup localprocesses_tracker | stats count

Search Head Pooling

Publication date Defect number Description
Pre-3.2
Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps/* resides on the pool, and is no longer tied to the relative path $SPLUNK_HOME.

Example: In SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = true

Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = false
index = _audit
sourcetype = incident_review
Last modified on 06 August, 2016
PREVIOUS
Fixed Issues
  NEXT
Learn More and how to get help

This documentation applies to the following versions of Splunk® Enterprise Security: 3.2.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters