Splunk® Security Add-on for SAP® solutions

User Guide

Troubleshoot the Splunk Security Add-on for SAP solutions

Here are some common issues in the Splunk Security Add-on for SAP® solutions and how to resolve them.

If you experience errors during data collection, navigate to the Troubleshooting tab of the add-on. This tab constantly monitors error logs, and you can filter results by time range.

Isolating the component with the problem

To use the Splunk Security Add-on for SAP solutions, you must purchase Splunk Security for SAP solutions. Ensure you have the correct entitlement and purchased an entitlement to Splunk Security Add-on for SAP solutions.

When troubleshooting, determine whether the issue you are experiencing is relevant to the add-on. In general, if your SAP Enterprise Threat Detection (ETD) data is successfully reaching your Splunk platform indexes, the add-on is working as expected. If data is not reaching your Splunk platform indexes, check for configuration problems with the accounts and inputs handled by the Splunk Security Add-on for SAP solutions.

SSL certification error

If you are experiencing an SSL certification error, perform the following steps to find the issue:

  1. In the add-on, navigate to the Troubleshooting Dashboard from one of these locations, depending on the type of deployment you have:
    1. For a single instance, from the heavy forwarder.
    2. For a distributed deployment, from the search head.
  2. Ensure the search is running in real time over a 30-second window.
  3. In the Timechart for Queries dashboard panel, select the most recent bar. This opens the Top Error Timeout values panel and shows the timeout value along with the number of times this has occurred.
  4. Select the value of the timeout to open the Underlying Events for Query = <query> and Timeout = <value> panel.
  5. View the logs on this panel to see if the following error is present:
(Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))

Solution

Upload the correct certificate from SAP ETD as a Trusted Authority to your preferred browser to solve the issue.

Max retries timeout

If you reach a max retries timeout, perform the following steps to find the issue:

  1. In the add-on, navigate to the Troubleshooting Dashboard from one of these locations, depending on the type of deployment:
    1. For a single instance, from the heavy forwarder.
    2. For a distributed deployment, from the search head.
  2. Ensure the search is running in real time over a 30-second window.
  3. In the Timechart for Queries dashboard panel, select the most recent bar. This opens the Top Error Timeout values panel and shows the timeout value along with the number of times this has occurred.
  4. Select the value of the timeout to open the Underlying Events for Query = <query> and Timeout = <value> panel.
  5. View the logs on this panel to see if the following error is present:
Max retries exceeded with url: /sap/secmon/services/Alerts.xsjs?%24query=<query>&%24format=JSON&%24includeEvents=True&%24batchSize=50&%24includeTestAlerts=True&%24autoConfirm=False (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f984f79efd0>, 'Connection to <ip> timed out. (connect timeout=60)'))

Solution

Perform the following steps to ensure ETD is running correctly:

  1. Turn off the input.
  2. In SAP ETD, ensure ETD is running correctly.
  3. Turn on the input again to see alerts flowing into the correct index.

Data not found

If you experience errors during data collection, and troubleshooting dashboards and internal logs are not helpful, perform the following steps:

  1. Set Log Level to DEBUG in the Configuration tab.
  2. Query internal index and check for Alerts API requests and responses in the search:
    app (index=_internal sourcetype = tasapetdalerts:log)
  3. Check ETD configurations and user privileges.
  4. Check that ETD is generating Alerts through the ETD Alerts Investigation App.
  5. Query the Alerts endpoint manually.
    Example:
    <protocol>://<host>:<port>/sap/secmon/services/Alerts.xsjs?$query=AlertId eq <AlertId>
  6. Ensure the query returns valid response.
  7. Restart SAP ETD Alerts mod-input in the add-on.
Last modified on 02 May, 2023
Workflow actions in the Splunk Security Add-on for SAP solutions   New features for the Splunk Security Add-on for SAP solutions

This documentation applies to the following versions of Splunk® Security Add-on for SAP® solutions: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters