Step 1: I have to use "PUT" to login to my system and obtain a login token. Webtools curl command only supports GET, POST and DELETE as stated in the documentation. When I choose method=put I don't get any errors in Splunk, will it work as intended?
I need to authenticate via "userid" and "value" instead of user and password. I tried to put this information in the datafield like this, but it didn't work:
| makeresults count=1
| eval data="{\"userid\":\"ApiUser\",\"value\":\"password\"}"
| curl method=put uri=https://x.x.x.x:32102/rest/openapi/sm/session
| table curl*
The developer @jkat54 suggested that the Huawei system might want the username and password as parameters and I might have to urlencode them so I tried these:
uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid=ApiUser&value=password
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid%3DApiUser%26value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid%3DApiUser&value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid=ApiUser%26value=password
I also tried uri=.../?xxx and uri=...?xxx
When I use Splunk and any variation of the curl command listed above the logs on the Huawei system show "Open API request from third system, URL: /rest/openapi/sm/session, error message: Authentication failed." and it shows username as "Invalid User".
If I connect to the API via another method the login succeeds. Whenever I input a wrong password or username, the chosen username will be displayed in the logs and the error message is "Failure reason: The user name does not match the password or the account does not exist."
Therefore it's not a wrong username or password error when using the curl command.
Step 2: After I obtain a session token with the above search (assuming it's working), I can use this token to query the API via executing additional curl commands. How would I do that in a Splunk search?
This is an excerpt from the documentation of the systems API to gain an access token:
/*
* Log in Example
*/
public class Login
{
public static void main(String[] args) throws Exception
{
login();
}
public static void login() throws Exception
{
//set the URL and method
final String openidURL = "/rest/openapi/sm/session";
final String method = "PUT";
//set parameters
final List<BasicNameValuePair> parameters = new ArrayList<BasicNameValuePair>();
parameters.add(new BasicNameValuePair("userid", GlobalVar.GLOBAL_USERNAME));
parameters.add(new BasicNameValuePair("value", GlobalVar.GLOBAL_USERVALUE));
parameters.add(new BasicNameValuePair("ipaddr", GlobalVar.GLOBAL_USERIP));
//send the request
final HttpResponse response = NewHttpsAccess.access(GlobalVar.GLOBAL_IP,
GlobalVar.GLOBAL_PORT,
openidURL,
method,
null,
parameters);
//get the result
final String ret = NewHttpsAccess.getResult(response);
System.out.println(ret);
//resolve the result and get the openid
final JSONObject jObject = JSONObject.fromObject(ret);
if (null == jObject)
{
System.out.println("Login failed.");
return;
}
if ("0".equals(String.valueOf(jObject.get("code"))))
{
final String openid = String.valueOf(jObject.get("data"));
GlobalVar.globalOpenid = openid;
}
}
}
Hey thanks for the awesome post!
I have a code fix for you in version 1.2.5: https://splunkbase.splunk.com/app/4146/
Here's where the code was buggy:
As always, thank you for your support and if you like my apps, please leave a review on splunkbase, share some karma, or if you're super impressed, write a review for me on linkedin. Thanks again!
Thanks, but that didn't fix the problem. I added a PUT method to your curl.py and the connection can now be established.
that was my next idea...
I just added it to the app via version 1.2.6 Please do enjoy.