All Apps and Add-ons

Troubleshooting Cisco Cloudlock Data Input

richardphung
Communicator

I have installed the Cisco Cloudlock for Splunk app:
https://splunkbase.splunk.com/app/3043/

And configured the API-token, URL, etc, as documented here:
https://github.com/CiscoDevNet/cloud-security/tree/master/Cloudlock/Splunk/Cisco%20Cloudlock%20Splun...

However, I'm not seeing any data.

I don't see any outbound connections or calls to the API service via netstat
And I don't see a corresponding log for the input in /opt/splunk/var/log/splunk

How else can I monitor/check the status of the Data Input?

Thanks!
@yaronc 

Labels (2)
0 Karma

richardphung
Communicator

from my splunkd.log:

09-16-2020 15:44:31.022 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py"   InsecureRequestWarning)
09-16-2020 15:44:31.272 -0400 INFO  ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" Received HTTP Code: 200
09-16-2020 15:44:31.276 -0400 INFO  ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" CloudLock: 100 new incidents found
09-16-2020 15:44:31.331 -0400 INFO  ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" CloudLock: Getting last incidents from 2020-03-10T17:50:36.979766+00:00 (offset 100)
09-16-2020 15:44:31.333 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" /opt/splunk/lib/python2.7/site-packages/urllib3/connectionpool.py:851: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
09-16-2020 15:44:31.333 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py"   InsecureRequestWarning)
09-16-2020 15:44:31.367 -0400 INFO  ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" Received HTTP Code: 429
09-16-2020 15:44:31.367 -0400 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/cloudlock/bin/cloudlock.py" 429 Client Error: TOO MANY REQUESTS for url: https://api.cloudlock.com/api/v2/incidents?count_total=false&updated_after=2020-03-10T17%3A50%3A36.979766%2B00%3A00&offset=100&order=updated_at&limit=100

This looks like it's working.. just no events in index.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.