All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REST_TA inputs.conf vs curl

tobinbxnz
Explorer
‎03-27-2019 08:39 PM

I am trying to use the REST_TA to retrieve records from the TrendMicro CAS REST API.

The rest_ta errors with a timeout and a curl with the equivalent headers and parameters returns a JSON result. This would indicate that the inputs.conf is somehow wrong.

Here is the inputs.conf (sensitive info is masked)

[rest://TMCAS-exchange-securityrisk]
endpoint = https://api.tmcas.trendmicro.com/siem/v1/security_events
activation_key = XXXACTIVATIONKEYHEREXXX
http_method = GET
auth_type = none
http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"
url_args = service=exchange,event=securityrisk
response_type = json
polling_interval = 300
index = staging
index_error_response_codes = 0
sequential_mode = 0
sourcetype = trend:cloud:tmcas
streaming_request = 0

And gives the following result:

INFO Starting new HTTPS connection (1): api.tmcas.trendmicro.com
ERROR HTTP Request Timeout error: HTTPSConnectionPool(host='api.tmcas.trendmicro.com', port=443): Read timed out.

The curl I have constructed to use the same values is this:

curl  -H "Authorization: Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY" "https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z"

And gives the JSON result:

{"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z","next_link":"","security_events":[]}

What am I doing wrong?

Tags (1)
0 Karma
Reply

tobinbxnz
Explorer
‎04-01-2019 12:05 PM

The issue is in this config line:

http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"

The quotes are not required, so it should read

http_header_propertys = Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY

Many thanks to the support on the BaboonBones Slack support channel

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...