All Apps and Add-ons

REST_TA inputs.conf vs curl

tobinbxnz
Explorer

I am trying to use the REST_TA to retrieve records from the TrendMicro CAS REST API.

The rest_ta errors with a timeout and a curl with the equivalent headers and parameters returns a JSON result. This would indicate that the inputs.conf is somehow wrong.

Here is the inputs.conf (sensitive info is masked)

[rest://TMCAS-exchange-securityrisk]
endpoint = https://api.tmcas.trendmicro.com/siem/v1/security_events
activation_key = XXXACTIVATIONKEYHEREXXX
http_method = GET
auth_type = none
http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"
url_args = service=exchange,event=securityrisk
response_type = json
polling_interval = 300
index = staging
index_error_response_codes = 0
sequential_mode = 0
sourcetype = trend:cloud:tmcas
streaming_request = 0

And gives the following result:

INFO Starting new HTTPS connection (1): api.tmcas.trendmicro.com
ERROR HTTP Request Timeout error: HTTPSConnectionPool(host='api.tmcas.trendmicro.com', port=443): Read timed out.

The curl I have constructed to use the same values is this:

curl  -H "Authorization: Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY" "https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z"

And gives the JSON result:

{"current_link":"https://api.tmcas.trendmicro.com/siem/v1/security_events?service=sharepoint&event=securityrisk&start=2019-03-26T00:00:00.000Z","next_link":"","security_events":[]}

What am I doing wrong?

Tags (1)
0 Karma

tobinbxnz
Explorer

The issue is in this config line:

http_header_propertys = "Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY"

The quotes are not required, so it should read

http_header_propertys = Authorization=Bearer YYYREMOTEACCESSTMCASTOKENHEREYYY

Many thanks to the support on the BaboonBones Slack support channel

0 Karma
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...