Install and Configure: Troubleshooting
[this is for v4.0.x of the Recorded Future App for Splunk Enterprise]
There are a number of report available in the app that can help troubleshooting.
|All logs from the App||This report collects all the logs produced by the app in one view.|
|Latest updates of all risklists||This report lists all timestamp when a risklist was last updated.|
|Validate app deployment||This report displays the result of a number of tests and lookups that is performed when the report is run.|
How to use the reports
All logs from the App
The report lists all the events created by the app. The loglevel can adjusted in Configuration -> Global configuration under the Logging pane. Default is INFO but when troubleshooting it may be apropriate to increase the level to DEBUG.
A good starting place is to look for errors (loglevel ERROR). To facilitate searching it's possible to open the report in the search view (select "Open in Search" via the "Edit" button).
Latest updates of all risklists
This report lists all the risklists that have been retrieved successfully from Recorded Future. If a list is missing from the view this means that it has not been updated during the last 24 hours.
If it is necessary to expand the search period this can be done by opening the report in Search.
The update frequency of a risk list depends on how often it is regenerated on Recorded Future's system. The default risklists pre-configured by Recorded Future are updated at two different intervals:
- IP, Domain and URL risklists are updated hourly
- Hash and Vulnerability risklists are update daily
If a risklist is missing from the view it may be necessary to check whether it can be found in the Fusion api. See Troubleshooting Fusion Files below.
Validate app deployment
This report should be reviewed after app deployment to verify that the configuration works.
The built-in validator perform a number of tests and collect useful troubleshooting information. Normally only statuses of Ok or NA should be present. Investigate any Warning or Error, these will have useful suggestions for troubleshooting.
Other troubleshooting tips
Troubleshooting Fusion Files
Fusion files are used as risklists in the app. If a configured risklist fails to be retrieved this can be due to a number of reasons.
- If all risklists fail to update there's most likely an issue with network connectivity or the api key used. Run the "Validate app deployment" report.
The Fusion file may not exist or it was spelled wrong. This can be verified
by performing the following search:
index=_* sourcetype="tarecordedfuture:cyber:log" ERROR 404 "File or directory" path=*
Look at the path field which is the URL-encoded version of the Fusion
file path (ex
%2Fhome%2Fcustom.cvs). Verify that this corresponds to a Fusion file.
- Ensure that the api key used by the app belongs to the correct enterprise in Recorded Future's system. With the exception of public Fusion files (paths starting with /public/) no Fusion files. are available outside of the Enterprise.
- Ensure that the Fusion Flow responsible for generating the Fusion file was successfully executed.
- Look at the path field which is the URL-encoded version of the Fusion file path (ex
Your Recorded Future Intelligence Services consultant would be happy to help you with additional questions and advice. If you do not know who that is, you can also contact [email protected]
Please do not contact Splunk support about "Recorded Future for Splunk Enterprise".