Hi There,
I tried to get Data from my router via it's API. Syslog is no option, since this is not available for this device.
When I generate a session ID and use it in my browser ist works.
When I use the REST API Modular Input with the following settings:
I get the following error:
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden
Could anyone give me an advice or an how to get an valid api call for a fritzbox?
You may achieve the same (retrieve fritzbox logs) using a script from here https://github.com/mcktr/check_tr64_fritz/tree/master/devel and running it like this:
sh fetch_tr64_data.sh -h FRITZBOX_IP -u dslf-config -P "PASSWORD" -U deviceinfo -s DeviceInfo -a GetInfo
It returns xml content with embedded log.
Well at in initial glance you are not declaring your url arguments correctly.
You should use a comma not an ampersand to delimit the key=value parameters , the setup page even shows the correct format for you right under the input field.
I also tried with comma, still Error 403
With basic authentication and without authentication with an external generate session id
Does your web server have logs to tell you the specific reason it is issuing a 403 response ?
it reports only a invalid session id, but only if i try to access via splunk, via firefox it works.
When I run the following script, I get a value back, API still not running:
SERVER="192.168.178.1"
PASSWORD="secret"
challengeRsp=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/login_sid.lua" 2>/dev/null)
challenge=$(echo $challengeRsp | sed "s/^.//" | sed "s/<\/Challenge>.$//")
if [[ -z $challenge ]]; then
echo "No challenge found"
exit 0
fi
challenge_bf="$challenge-$PASSWORD"
challenge_bf=$(echo -n $challenge_bf | iconv -t UTF-16LE | md5sum - | cut -c 1-32)
response_bf="$challenge-$challenge_bf"
url="http://$SERVER/login_sid.lua"
sidRsp=$(curl --header "Accept: text/html,application/xhtml+xml,application/xml" \
--header "Content-Type: application/x-www-form-urlencoded" \
-d "response=$response_bf" \
$url 2>/dev/null)
sid=$(echo $sidRsp | sed "s/^.//" | sed "s/<\/SID>.$//")
regex="^0+$"
if [[ $sid =~ $regex ]]; then
echo "Invalid password"
exit 0
fi
IFS=' '
stats=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/webservices/homeautoswitch.lua?ain=087610156436&switchcmd=getswitchpower&sid=$sid" 2>/dev/null)
echo $stats
paste your actual stanza from inputs.conf
[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup
[blacklist:$SPLUNK_HOME/etc/auth]
[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal
[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry
[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version
[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =
[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =
[fschange:$SPLUNK_HOME/etc]
pollPeriod = 600
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100
[udp]
connection_host=ip
[tcp]
acceptFrom=*
connection_host=dns
[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip
[script]
interval = 60.0
start_by_shell = true
I can not see your rest://xxxx stanza there.
Try looking under a local directory in another app context. Or searching for it at the command line with find / grep etc...
Hi @christianmueller,
1) Does your router API does not require any userID or Password?
2) Can you please try to change Authentication Type to HTTP Basic??
Thanks
Thanks for your fast answer.
An authentication is required and is maintained by an session id (SID). I used the one from the browser to double check.
With basic authentication or sid I get the following error code:
" ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden"
When I tried without sid and authentication I also get an Error 403, so it seams that the authentication is not working in general.
Do you have any hint?
Thx
Christian
Do you have any hint?
Thx
Christian