All Apps and Add-ons

API Modular Input - Get Data from Fritzbox (Router) - HTTP Request error: 403 Client Error: Forbidden

christianmuelle
Explorer

Hi There,

I tried to get Data from my router via it's API. Syslog is no option, since this is not available for this device.

When I generate a session ID and use it in my browser ist works.
alt text

When I use the REST API Modular Input with the following settings:
alt text

I get the following error:
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden

Could anyone give me an advice or an how to get an valid api call for a fritzbox?

tbaublys_splunk
Splunk Employee
Splunk Employee

You may achieve the same (retrieve fritzbox logs) using a script from here https://github.com/mcktr/check_tr64_fritz/tree/master/devel and running it like this:
sh fetch_tr64_data.sh -h FRITZBOX_IP -u dslf-config -P "PASSWORD" -U deviceinfo -s DeviceInfo -a GetInfo
It returns xml content with embedded log.

0 Karma

Damien_Dallimor
Ultra Champion

Well at in initial glance you are not declaring your url arguments correctly.

You should use a comma not an ampersand to delimit the key=value parameters , the setup page even shows the correct format for you right under the input field.

0 Karma

christianmuelle
Explorer

I also tried with comma, still Error 403

With basic authentication and without authentication with an external generate session id

0 Karma

Damien_Dallimor
Ultra Champion

Does your web server have logs to tell you the specific reason it is issuing a 403 response ?

0 Karma

christianmuelle
Explorer

it reports only a invalid session id, but only if i try to access via splunk, via firefox it works.

0 Karma

christianmuelle
Explorer

When I run the following script, I get a value back, API still not running:

SERVER="192.168.178.1"
PASSWORD="secret"

challengeRsp=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/login_sid.lua" 2>/dev/null)

challenge=$(echo $challengeRsp | sed "s/^.//" | sed "s/<\/Challenge>.$//")

if [[ -z $challenge ]]; then
echo "No challenge found"
exit 0
fi

challenge_bf="$challenge-$PASSWORD"
challenge_bf=$(echo -n $challenge_bf | iconv -t UTF-16LE | md5sum - | cut -c 1-32)
response_bf="$challenge-$challenge_bf"

url="http://$SERVER/login_sid.lua"

sidRsp=$(curl --header "Accept: text/html,application/xhtml+xml,application/xml" \
--header "Content-Type: application/x-www-form-urlencoded" \
-d "response=$response_bf" \
$url 2>/dev/null)

sid=$(echo $sidRsp | sed "s/^.//" | sed "s/<\/SID>.$//")

regex="^0+$"
if [[ $sid =~ $regex ]]; then
echo "Invalid password"
exit 0
fi

IFS=' '
stats=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/webservices/homeautoswitch.lua?ain=087610156436&switchcmd=getswitchpower&sid=$sid" 2>/dev/null)

echo $stats

0 Karma

Damien_Dallimor
Ultra Champion

paste your actual stanza from inputs.conf

0 Karma

christianmuelle
Explorer

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[blacklist:$SPLUNK_HOME/etc/auth]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

0 Karma

Damien_Dallimor
Ultra Champion

I can not see your rest://xxxx stanza there.

Try looking under a local directory in another app context. Or searching for it at the command line with find / grep etc...

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @christianmueller,

1) Does your router API does not require any userID or Password?
2) Can you please try to change Authentication Type to HTTP Basic??

Thanks

0 Karma

christianmuelle
Explorer

Thanks for your fast answer.

An authentication is required and is maintained by an session id (SID). I used the one from the browser to double check.

With basic authentication or sid I get the following error code:

" ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden"

When I tried without sid and authentication I also get an Error 403, so it seams that the authentication is not working in general.

Do you have any hint?

Thx
Christian

Do you have any hint?

Thx
Christian

0 Karma
Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...