Skip to content
This repository has been archived by the owner on Feb 3, 2023. It is now read-only.

Problem on System with different network interfaces and the trackme app #388

Open
malso opened this issue Mar 11, 2022 · 5 comments
Open

Problem on System with different network interfaces and the trackme app #388

malso opened this issue Mar 11, 2022 · 5 comments
Assignees
@guilhemmarchand
Labels
bug Something isn't working question Further information is requested

Comments

@malso
Copy link

malso commented Mar 11, 2022

Hey @guilhemmarchand,

running trackme 1.2.57 on splunk 8.1.5.

I have a system with different network interfaces and splunk is bound on a deviating ip than $HOSTNAME in splunk-launch.conf (via SPLUNK_BINDIP).
I am not able to get kvstore backup running (response: Warn: exception encountered: [Errno 99] Cannot assign requested address)
or do edits like change the priority of a data source over the modify context.
Defining lagging classes and controlling the lagging value however is possible.

I already found a
target_url = "https://localhost:" in trackme.py which I changed.

Do you have any ideas what I need to do to get the app fully working?
@guilhemmarchand guilhemmarchand self-assigned this Mar 11, 2022
@guilhemmarchand guilhemmarchand added the question Further information is requested label Mar 11, 2022
@guilhemmarchand
Copy link
Owner

Hey @malso

Oh that is quite an interesting one - so basically on the local system, you can technically reach the API (splunkd) but because of SPLUNK_BINDIP splunkd will not reply to the originating query.

To be fair, there's quite a lot of calls made in the app to localhost, wether in the UI or at the lowest backend level (and this is going to tons more in TrackMe v2)

I see at least these:

./bin/trackme/modalert_trackme_auto_ack_helper.py:    helper.writeevents(index="summary", host="localhost", source="localhost")
./bin/trackme/modalert_trackme_auto_ack_helper.py:    # we are talking to localhost splunkd in SSL
./bin/trackme/modalert_trackme_auto_ack_helper.py:    target_url = "https://localhost:" + str(splunkd_port) + str(endpoint_url)
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py:    helper.writeevents(index="summary", host="localhost", source="localhost")
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py:    # we are talking to localhost splunkd in SSL
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py:    target_url = "https://localhost:" + str(splunkd_port) + str(endpoint_url)
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py:    record_url = 'https://localhost:' + str(splunkd_port) \
./bin/trackme/modalert_trackme_smart_status_helper.py:    helper.writeevents(index="summary", host="localhost", source="localhost")
./bin/trackme/modalert_trackme_smart_status_helper.py:    # we are talking to localhost splunkd in SSL
./bin/trackme/modalert_trackme_smart_status_helper.py:    target_url = "https://localhost:" + str(splunkd_port) + str(endpoint_url)
./bin/trackme/modalert_trackme_smart_status_helper.py:    record_url = 'https://localhost:' + str(splunkd_port) \
./bin/trackme.py:            target_url = "https://localhost:" + str(splunkd_port) + str(self.url)
./bin/trackme_rest_handler_smart_status.py:                record_url = 'https://localhost:' + str(splunkd_port) \
./bin/trackme_rest_handler_smart_status.py:                record_url = 'https://localhost:' + str(splunkd_port) \
./bin/trackme_rest_handler_smart_status.py:                record_url = 'https://localhost:' + str(splunkd_port) \

One option I guess would be to provide something configurable in the configuration UI where you can use a different destination than localhost, but might be quite a work. (and I am focussing on TrackMe v2)

I will need to do some testings to understand where would be the failures in your context

@malso
Copy link
Author

malso commented Mar 11, 2022

Hey @guilhemmarchand,

Thank you for your fast answer.
Unfortunately it did not help.

I deleted all python cache files.

Additionally I changed all occurrences of socket.gethostname() with the fqdn of the ip I'm using for Splunk.

@guilhemmarchand
Copy link
Owner

@malso

I will check this out, and will let you know

@malso
Copy link
Author

malso commented Mar 16, 2022
edited
Loading

Hey @guilhemmarchand
I got it working, but only by change every occurence of loocalhost to the bindip.
And by working I mean I was just not ablw to change the priority, and I have no idea if I broke something :)
Files I edited:
./bin/trackme/modalert_trackme_auto_ack_helper.py
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py
./bin/trackme/modalert_trackme_smart_status_helper.py
./bin/trackme.py
./bin/trackme_rest_handler_smart_status.py
./lib/splunklib/binding.py
./lib/splunktalib/credentials.py
./lib/urllib3/exceptions.py

@guilhemmarchand
Copy link
Owner

Thanks @malso

./bin/trackme/modalert_trackme_auto_ack_helper.py
./bin/trackme/modalert_trackme_free_style_rest_call_helper.py
./bin/trackme/modalert_trackme_smart_status_helper.py
./bin/trackme.py
./bin/trackme_rest_handler_smart_status.py

Makes sense, the localhost call is hard coded.

./lib/splunklib/binding.py
./lib/splunktalib/credentials.py
./lib/urllib3/exceptions.py

That probably shouldn't be necessary.

I am planning to provide a configurable option for the splunkd host target, such that someone in your case can switch from localhost to the bind IP / FQDN / host.

Will revert in this issue.

@guilhemmarchand guilhemmarchand added the bug Something isn't working label Mar 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@guilhemmarchand guilhemmarchand

Labels
bug Something isn't working question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@malso @guilhemmarchand