All Apps and Add-ons

Cisco AMP for Endpoints Events Input: Cannot retrieve data despite correct credential input

Engager

Hello,

I am setting up to "Cisco AMP for Endpoints Events Input" on windows 2016.
I think the following 3 credentials are correct because I can retrieve information using curl command with these credential.

-AMP for Endpoints API Host
-API Client ID
-API Key

After I input the following credentials, I select "New Input" tab, The following message appears:

"Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials."

Did I miss some setting?
Please advise me about the possible cause.

Best Regards

New Member

Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log

look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)

did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5

did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12

This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."

0 Karma

SplunkTrust
SplunkTrust

Hi @ksakagaw,

Try setting API Host should to api.eu.amp.cisco.com.

seems like the same issue as : https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html

0 Karma

Esteemed Legend

You would probably be better off posting to Cisco forums.

0 Karma

Engager

Okay. Thanks for advice.

0 Karma