https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424185#M51787 <P>Okay. Thanks for advice.</P> Sun, 16 Jun 2019 01:39:21 GMT ksakagaw 2019-06-16T01:39:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424183#M51785 <P>Hello,</P> <P>I am setting up to "Cisco AMP for Endpoints Events Input" on windows 2016.<BR /> I think the following 3 credentials are correct because I can retrieve information using curl command with these credential.</P> <P>-AMP for Endpoints API Host <BR /> -API Client ID <BR /> -API Key </P> <P>After I input the following credentials, I select "New Input" tab, The following message appears:</P> <PRE><CODE>"Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials." </CODE></PRE> <P>Did I miss some setting? <BR /> Please advise me about the possible cause.</P> <P>Best Regards</P> Sat, 15 Jun 2019 16:46:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424183#M51785 ksakagaw 2019-06-15T16:46:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424184#M51786 <P>You would probably be better off posting to Cisco forums.</P> Sat, 15 Jun 2019 23:15:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424184#M51786 woodcock 2019-06-15T23:15:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424185#M51787 <P>Okay. Thanks for advice.</P> Sun, 16 Jun 2019 01:39:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424185#M51787 ksakagaw 2019-06-16T01:39:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424186#M51788 <P>Hi @ksakagaw,</P> <P>Try setting API Host should to api.eu.amp.cisco.com.</P> <P>seems like the same issue as : <A href="https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html">https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html</A></P> Tue, 18 Jun 2019 08:46:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424186#M51788 DavidHourani 2019-06-18T08:46:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424187#M51789 <P>Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log</P> <P>look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)</P> <P>did the Handshake-fix mentioned here: <A href="https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5" target="_blank">https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5</A></P> <P>did the ssl-shared-options-fix mentioned here: <A href="https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12" target="_blank">https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12</A></P> <P>This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."</P> Wed, 30 Sep 2020 01:03:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Cisco-AMP-for-Endpoints-Events-Input-Cannot-retrieve-data/m-p/424187#M51789 alindkvist 2020-09-30T01:03:40Z