I have installed the Cisco Cloudlock for Splunk app:
https://splunkbase.splunk.com/app/3043/
And configured the API-token, URL, etc, as documented here:
https://github.com/CiscoDevNet/cloud-security/tree/master/Cloudlock/Splunk/Cisco%20Cloudlock%20Splun...
However, I'm not seeing any data.
I don't see any outbound connections or calls to the API service via netstat
And I don't see a corresponding log for the input in /opt/splunk/var/log/splunk
How else can I monitor/check the status of the Data Input?
Thanks!
@yaronc
from my splunkd.log:
09-16-2020 15:44:31.022 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" InsecureRequestWarning)
09-16-2020 15:44:31.272 -0400 INFO ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" Received HTTP Code: 200
09-16-2020 15:44:31.276 -0400 INFO ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" CloudLock: 100 new incidents found
09-16-2020 15:44:31.331 -0400 INFO ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" CloudLock: Getting last incidents from 2020-03-10T17:50:36.979766+00:00 (offset 100)
09-16-2020 15:44:31.333 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" /opt/splunk/lib/python2.7/site-packages/urllib3/connectionpool.py:851: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
09-16-2020 15:44:31.333 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" InsecureRequestWarning)
09-16-2020 15:44:31.367 -0400 INFO ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" Received HTTP Code: 429
09-16-2020 15:44:31.367 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" 429 Client Error: TOO MANY REQUESTS for url: https://api.cloudlock.com/api/v2/incidents?count_total=false&updated_after=2020-03-10T17%3A50%3A36.979766%2B00%3A00&offset=100&order=updated_at&limit=100
This looks like it's working.. just no events in index.