REST_TA inputs.conf vs curl

tobinbxnz · ‎03-27-2019

I am trying to use the REST_TA to retrieve records from the TrendMicro CAS REST API.

The rest_ta errors with a timeout and a curl with the equivalent headers and parameters returns a JSON result. This would indicate that the inputs.conf is somehow wrong.

Here is the inputs.conf (sensitive info is masked)

[rest://TMCAS-exchange-securityrisk]
endpoint = https://api.tmcas.trendmicro.com/siem/v1/security_events
activation_key = XXXACTIVATIONKEYHEREXXX
http_method = GET
auth_type = none
http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"
url_args = service=exchange,event=securityrisk
response_type = json
polling_interval = 300
index = staging
index_error_response_codes = 0
sequential_mode = 0
sourcetype = trend:cloud:tmcas
streaming_request = 0

And gives the following result:

INFO Starting new HTTPS connection (1): api.tmcas.trendmicro.com
ERROR HTTP Request Timeout error: HTTPSConnectionPool(host='api.tmcas.trendmicro.com', port=443): Read timed out.

The curl I have constructed to use the same values is this:

curl  -H "Authorization: Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY" "https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z"

And gives the JSON result:

{"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z","next_link":"","security_events":[]}

What am I doing wrong?

tobinbxnz · ‎04-01-2019

The issue is in this config line:

http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"

The quotes are not required, so it should read

http_header_propertys = Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY

Many thanks to the support on the BaboonBones Slack support channel

REST_TA inputs.conf vs curl

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life