All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST_TA inputs.conf vs curl

tobinbxnz
Explorer
‎03-27-2019 08:39 PM

I am trying to use the REST_TA to retrieve records from the TrendMicro CAS REST API.

The rest_ta errors with a timeout and a curl with the equivalent headers and parameters returns a JSON result. This would indicate that the inputs.conf is somehow wrong.

Here is the inputs.conf (sensitive info is masked)

[rest://TMCAS-exchange-securityrisk]
endpoint = https://api.tmcas.trendmicro.com/siem/v1/security_events
activation_key = XXXACTIVATIONKEYHEREXXX
http_method = GET
auth_type = none
http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"
url_args = service=exchange,event=securityrisk
response_type = json
polling_interval = 300
index = staging
index_error_response_codes = 0
sequential_mode = 0
sourcetype = trend:cloud:tmcas
streaming_request = 0

And gives the following result:

INFO Starting new HTTPS connection (1): api.tmcas.trendmicro.com
ERROR HTTP Request Timeout error: HTTPSConnectionPool(host='api.tmcas.trendmicro.com', port=443): Read timed out.

The curl I have constructed to use the same values is this:

curl  -H "Authorization: Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY" "https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z"

And gives the JSON result:

{"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z","next_link":"","security_events":[]}

What am I doing wrong?

Tags (1)
0 Karma
Reply

tobinbxnz
Explorer
‎04-01-2019 12:05 PM

The issue is in this config line:

http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"

The quotes are not required, so it should read

http_header_propertys = Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY

Many thanks to the support on the BaboonBones Slack support channel

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...