All Apps and Add-ons

API Modular Input - Get Data from Fritzbox (Router) - HTTP Request error: 403 Client Error: Forbidden

christianmuelle
Explorer

Hi There,

I tried to get Data from my router via it's API. Syslog is no option, since this is not available for this device.

When I generate a session ID and use it in my browser ist works.
alt text

When I use the REST API Modular Input with the following settings:
alt text

I get the following error:
ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden

Could anyone give me an advice or an how to get an valid api call for a fritzbox?

tbaublys_splunk
Splunk Employee
Splunk Employee

You may achieve the same (retrieve fritzbox logs) using a script from here https://github.com/mcktr/check_tr64_fritz/tree/master/devel and running it like this:
sh fetch_tr64_data.sh -h FRITZBOX_IP -u dslf-config -P "PASSWORD" -U deviceinfo -s DeviceInfo -a GetInfo
It returns xml content with embedded log.

0 Karma

Damien_Dallimor
Ultra Champion

Well at in initial glance you are not declaring your url arguments correctly.

You should use a comma not an ampersand to delimit the key=value parameters , the setup page even shows the correct format for you right under the input field.

0 Karma

christianmuelle
Explorer

I also tried with comma, still Error 403

With basic authentication and without authentication with an external generate session id

0 Karma

Damien_Dallimor
Ultra Champion

Does your web server have logs to tell you the specific reason it is issuing a 403 response ?

0 Karma

christianmuelle
Explorer

it reports only a invalid session id, but only if i try to access via splunk, via firefox it works.

0 Karma

christianmuelle
Explorer

When I run the following script, I get a value back, API still not running:

SERVER="192.168.178.1"
PASSWORD="secret"

challengeRsp=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/login_sid.lua" 2>/dev/null)

challenge=$(echo $challengeRsp | sed "s/^.//" | sed "s/<\/Challenge>.$//")

if [[ -z $challenge ]]; then
echo "No challenge found"
exit 0
fi

challenge_bf="$challenge-$PASSWORD"
challenge_bf=$(echo -n $challenge_bf | iconv -t UTF-16LE | md5sum - | cut -c 1-32)
response_bf="$challenge-$challenge_bf"

url="http://$SERVER/login_sid.lua"

sidRsp=$(curl --header "Accept: text/html,application/xhtml+xml,application/xml" \
--header "Content-Type: application/x-www-form-urlencoded" \
-d "response=$response_bf" \
$url 2>/dev/null)

sid=$(echo $sidRsp | sed "s/^.//" | sed "s/<\/SID>.$//")

regex="^0+$"
if [[ $sid =~ $regex ]]; then
echo "Invalid password"
exit 0
fi

IFS=' '
stats=$(curl --header "Accept: application/xml" \
--header "Content-Type: text/plain" \
"http://$SERVER/webservices/homeautoswitch.lua?ain=087610156436&switchcmd=getswitchpower&sid=$sid" 2>/dev/null)

echo $stats

0 Karma

Damien_Dallimor
Ultra Champion

paste your actual stanza from inputs.conf

0 Karma

christianmuelle
Explorer

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[blacklist:$SPLUNK_HOME/etc/auth]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

0 Karma

Damien_Dallimor
Ultra Champion

I can not see your rest://xxxx stanza there.

Try looking under a local directory in another app context. Or searching for it at the command line with find / grep etc...

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @christianmueller,

1) Does your router API does not require any userID or Password?
2) Can you please try to change Authentication Type to HTTP Basic??

Thanks

0 Karma

christianmuelle
Explorer

Thanks for your fast answer.

An authentication is required and is maintained by an session id (SID). I used the one from the browser to double check.

With basic authentication or sid I get the following error code:

" ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/rest_ta/bin/rest.py" HTTP Request error: 403 Client Error: Forbidden"

When I tried without sid and authentication I also get an Error 403, so it seams that the authentication is not working in general.

Do you have any hint?

Thx
Christian

Do you have any hint?

Thx
Christian

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...