SWSS: Received corrupted archive from WSS and will retry on the next invocation
search cancel

SWSS: Received corrupted archive from WSS and will retry on the next invocation

book

Article ID: 249626

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The WSS Splunk Transfer Agent (TA) is not receiving any data from the WSS SyncAPI. 

The $SPLUNK_HOME/etc/var/log/scwss/scwss-poll.log shows a continuous error "Received corrupted archive from WSS, will retry on the next invocation"

2022-03-13 14:10:46,070 INFO 140160265734080 - SWSS: Starting data collection...
2022-03-13 14:10:46,355 ERROR 140160265734080 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:15:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:15:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:20:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:20:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:25:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:25:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation
2022-03-13 14:30:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2022-03-13 14:30:46,800 ERROR 140317862344640 - SWSS: SWSS: Received corrupted archive from WSS, will retry on the next invocation

Environment

  • Web Security Service
  • Splunk SIEM solution collecting logs using SyncAPI
  • Splunk WSS plugin downloaded and leveraged

Cause

The sync.token is most likely corrupted and needs to be reset.

Resolution

Follow the process shown below to reset WSS SyncAPI Token on Splunk:

The process below will send a new API call to the SyncAPI with a new date/time and no token, therefore, the SyncAPI will generate a new token.

  1. Login to the Splunk instance where the WSS TA is installed.
  2. Go to Settings > Data inputs.
  3. Click on Symantec Web Security Service.
  4. Check the current Data Input. Under Status, Click on Disable.
  5. Open a terminal and issue the following command:
    Find "sync.token" file 

    on Linux server: 
    find / -iname "sync.token"
  6. Rename it to some other name (For example ".old"). That will reset the token.

  7. Add new WSS data input and configure it with a start date and other data.

    - You will need the API Username and API Key
    - The NEW start date will need to be from the beginning of the hour where the last synced log was observed.
       Eg. If the last sync log time was 14:10:12 UTC. You will need to set the time to 2022-03-13T14:00:00 in the WSS TA data input configuration.



  8. Check and confirm data is being downloaded now.
    You can use the following query to verify data is getting indexed into Splunk (If you have not changed the source type): sourcetype = symantec:websecurityservice:scwss-poll. Otherwise, you can use your own source type.

Note: There will be some access logs overlapping or duplicates since it is required by WSS SynAPI to go back to the beginning of the hour.

Powered by Wolken Software