I've installed and configured the Cisco AMP for Endpoints Events Input app 2.0.2, and the API calls seem to work, but data isn't coming in, instead repetitively logging into $SPLUNK_HOME/var/log/splunk/amp4e_events_input.log the following messages:
2022-03-31 11:35:05,815 ERROR Amp4eEvents - Consumer Error that does not look like connection failure! See the traceback below.
2022-03-31 11:35:05,816 ERROR Amp4eEvents - Traceback (most recent call last):
File "/opt/splunk/etc/apps/amp4e_events_input/bin/util/stream_consumer.py", line 34, in run
self._connection = pika.BlockingConnection(pika.URLParameters(self._url))
File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 377, in __init__
self._process_io_for_connection_setup()
File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 417, in _process_io_for_connection_setup
self._open_error_result.is_ready)
File "/opt/splunk/etc/apps/amp4e_events_input/bin/pika/adapters/blocking_connection.py", line 469, in _flush_output
raise maybe_exception
pika.exceptions.ProbableAuthenticationError: (403, 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.')
I don't know what broker logfile it's suggesting I reference, or how to fix this error since the authentication type is hard-coded in the app. All the errors I'm finding when I search relate to RabbitMQ.