Developing for Splunk Enterprise

How to collect event log from SEPC?

Engager

I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :

"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"

So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.

I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?

This is script:

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'


def get_oauth_token(client_id, client_secret):

    headers = build_base_headers()
    headers.update({"Content-Type": "application/x-www-form-urlencoded"})

    token = b64encode(client_id + ":" + client_secret).decode("ascii")
    headers.update({"Authorization": "Basic " + token})
    params = {'grant_type': 'client_credentials'}

    response = requests.post("%s%s" % (r3_url, oauth_url),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == 200:
        data = response.json()

    return None


# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):

    data = None

    headers = build_base_headers()
    headers.update({"Content-Type": "application/json"})
    headers.update({"Authorization": token})

    keys = ["type", "batchSize", "startDate", "endDate"]
    values = [event_type, int(batch_size), start_date, end_date]

    params = {}
    for index in range(len(keys)):
        params[keys[index]] = values[index]

    params = json.dumps(params)
    response = requests.post("%s%s" % (r3_url, export_api),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == requests.codes.ok:
        data = response.json()

    # TODO: To Test
    elif response.status_code == 401:
        token = get_oauth_token(client_id, client_secret)
        export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)

    return data

Please help me. Thank you so much.

Labels (1)
Tags (2)

New Member

@holm_arsene are you able to fetch logs?
i am also facing same problem.

0 Karma

SplunkTrust
SplunkTrust

Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709

---
If this reply helps you, an upvote would be appreciated.
0 Karma