- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to collect event log from SEPC?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to collect event log from SEPC?
I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :
"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"
So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.
I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?
This is script:
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'
def get_oauth_token(client_id, client_secret):
headers = build_base_headers()
headers.update({"Content-Type": "application/x-www-form-urlencoded"})
token = b64encode(client_id + ":" + client_secret).decode("ascii")
headers.update({"Authorization": "Basic " + token})
params = {'grant_type': 'client_credentials'}
response = requests.post("%s%s" % (r3_url, oauth_url),
headers=headers,
data=params, verify=False)
if response.status_code == 200:
data = response.json()
return None
# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):
data = None
headers = build_base_headers()
headers.update({"Content-Type": "application/json"})
headers.update({"Authorization": token})
keys = ["type", "batchSize", "startDate", "endDate"]
values = [event_type, int(batch_size), start_date, end_date]
params = {}
for index in range(len(keys)):
params[keys[index]] = values[index]
params = json.dumps(params)
response = requests.post("%s%s" % (r3_url, export_api),
headers=headers,
data=params, verify=False)
if response.status_code == requests.codes.ok:
data = response.json()
# TODO: To Test
elif response.status_code == 401:
token = get_oauth_token(client_id, client_secret)
export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)
return data
Please help me. Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@holm_arsene are you able to fetch logs?
i am also facing same problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkers, anyone got this data onboarded to Splunk? If so, would you mind to share feedback or docs.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
