Archive

Why am I getting "HTTP Request error: 400 Client Error: Bad Request" trying to set up the Box App for Splunk on a heavy forwarder?

Explorer

So, I go into the Box App for Splunk on my Heavy Forwarder to do initial configuration. I successfully configure the app and validate the oauth information with my Box admin account. However, I notice I'm not getting any data. Looking in the splunkd log I'm seeing the following error.

ERROR ExecProcessor - message from "python /apps/splunk/etc/apps/BoxAppForSplunk/bin/box.py" HTTP Request error: 400 Client Error: Bad Request

The only thing I can think of is the account I have doesn't have access to the API, but wondering if anyone else has ran into this error.

Explorer

Well i finally successed with the "Splunk addon for box".. not that i know what really went wrong, but i made it to work. I just created a new box account and only used the term https://localhost:8000/ as redirect_uri.

However i guess that wasnt the problem but i did some search tests and figured out i had some overlapping in my dashboards with both box- addons. So i realized my SplunkAddon Dashboard was using some prebuild boxapp-panels, which didnt work. Furthermore my recently used search didnt work, because index=box sourcetype=box-rest-api dont show me any results. So with index=* source=https://api.box.com i got some results!

SPlunkAddon is using $decideonstartup as host/index, so maybe thats why i didnt find those logs earlier.

Mention the permission denies of my get requests, they still happen with boxappforsplunk..dunno whats wrong but iam fine now 🙂 thx for your help

SplunkTrust
SplunkTrust

I converted your comment to an answer. Please mark it as the answer and upvote to help others find it.

0 Karma

SplunkTrust
SplunkTrust

If you go to

https://api.box.com/2.0/events?created_after=2014-11-21T00%3A00%3A00-00%3A00&stream_position=0&creat...

do you get the same error?

Looks like the uri is wrong. Do you specify your boxURI anywhere? Host & Port anywhere? Looks like there is a variable here.... like $SPLUNKINSTANCE$/2.0/events.... and it's blank/missing so you just end up with /2.0/events...

Can you post your inputs.conf?

The endpoint in inputs.conf should be:
endpoint = https://api.box.com/2.0/events

I meant the inputs.conf in the box app for splunk:
alt text

0 Karma

Explorer

hello and thx for your reply

if i am clicking your link, i just get a white site.
My inputs.conf local is empty. Do i have to edit my local with endpoint = https://api.box.com/2.0/events ?

My URI in box for redirect is https://newbox:8000/en-US/manager/Splunk_TA_box/apps/local/Splunk_TA_box/setup?action=edit
Splunk add-on tells me credentials were successful, but with searching index=box sourcetype=box-rest-api i get no results.

Splunk server name is newbox, https is activated, webport 8000. APPPORT 8065. tried already this port, no change.

mentioning these logs...

2016-01-05 11:00:01,650 INFO 139915727435520 - Get https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=0&created_after=2015...

2016-01-05 11:00:02,058 ERROR 139915727435520 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=0&created_after=2015..., reason=Forbidden, {"type":"error","status":403,"code":"access_denied_insufficient_permissions","help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Access denied - insufficient permission","request_id":"43199700568bf692091f3"}

This is my inputs.conf default.

[default]
index         = default
_rcvbuf        = 1572864
host = $decideOnStartup


[blacklist:$SPLUNK_HOME/etc/auth]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = 

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue       = stashparsing
sourcetype  = stash_new
move_policy = sinkhole
crcSalt     = 

[fschange:$SPLUNK_HOME/etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]
# default cipher suites that splunk allows. Change this if you wish to increase the security 
# of SSL connections, or to lower it if you having trouble connecting to splunk.
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true
sslQuietShutdown = false

#Allow only sslv3 and above connections
sslVersions = *,-ssl2
0 Karma

SplunkTrust
SplunkTrust

You're getting a 403, access is denied error. You need to check your authentication settings related to the box app. I've edited my original answer to show you the inputs.conf you should have in the box app's default directory.

Please do not post your "secret keys"

However, these keys need to be populated with your box api oauth stuffs. Below are the specific keys you need to edit, from the inputs.conf of the latest copy of the app itself (I just downloaded the app and opened it to view the file, no setup/install). So these are defaults. You need to add your own.

oauth2_client_id = tdmcuubsa2zix32pc4ucxzvzfylanc0z
oauth2_client_secret = GV42Oh5I6z6Hb6JskCFc0ihPzfe4Dj6J
oauth2_access_token =
oauth2_refresh_token =
0 Karma

Explorer

Your settings in your previously post are looking exactly like mine. clientid+secret is written there

Is this normal, that my BoxAppForSplunk directory in apps cannot be open-permission denied?

Another question... is this app even working with splunk enterprise TRIAL?

0 Karma

SplunkTrust
SplunkTrust

eww... i dont know if it does work with the trial, as many of them do not.

dbconnect doesnt for example.

I feel like you need an access token there, or different client id and secret.

Did you do step 4? https://cloud.app.box.com/BoxAppForSplunk

0 Karma

Explorer

I would like to add that I have seen this on 6.3.1 with Box app 1.4 on a Linux OS and a Microsoft 2012 R2 OS. I also see the same result on 6.2.5 and 1.2 and 1.4 version of Box. If you set the ExecProcessor to debug you can see a more detailed message of.
‘DEBUG ExecProcessor - message from "python /opt/splunk/etc/apps/BoxAppForSplunk/bin/box.py" "GET /2.0/events?created_after=2014-11-21T00%3A00%3A00-00%3A00&stream_position=0&created_before=2014-11-22T00%3A00%3A00-00%3A00&stream_type=admin_logs&limit=500 HTTP/1.1" 400 276’

I have spent about 30 hours trying to figure this one out.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!