Solved: REST API Modular Input - 401 Client Unauthorized

joseft · ‎09-03-2018

I am trying to access Carbon Black via The REST API. As expected, this works in Postman:
Console Output (keys and tokens changed):

GET
https://api-prod06.conferdeploy.net/integrationServices/v3/event/
Proxy:
host:"127.0.0.1"
port:9000
match:"http+https://*/*"
Request Headers:
x-auth-token:"CYLVZZZZZZZZZZZZZ/3IZNXXXX"
cache-control:"no-cache"
postman-token:"c092b323-fc8e-4c1d-9a6d-c6f042000000"
user-agent:"PostmanRuntime/7.2.0"
accept:"*/*"
host:"api-prod06.conferdeploy.net"
cookie:"__cfduid=ddfebf41ad8fce5ba32a3bd7b71e891e61535000000"
accept-encoding:"gzip, deflate"
Response Headers:
content-type:"application/json;charset=ISO-8859-1"
date:"Mon, 03 Sep 2018 09:21:47 GMT"
server:"Apache-Coyote/1.1"
content-length:"491061"
connection:"Close"
Response Body:
200
590 ms

It starts off OK

And then crashes out with a 401 error.

Any help would be appreciated.

Thanks in advance.

joseft · ‎09-05-2018

I found it. In Carbon Black, the api key has its own whitelist. You have to have the Splunk server ip whitelisted in Carbon Black for the key to work.

View solution in original post

joseft · ‎09-05-2018

I found it. In Carbon Black, the api key has its own whitelist. You have to have the Splunk server ip whitelisted in Carbon Black for the key to work.

richgalloway · ‎09-05-2018

@joseft, If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

joseft · ‎09-05-2018

I found it. In Carbon Black, the api key has its own whitelist. You have to have the Splunk server ip whitelisted in Carbon Black for the key to work.

REST API Modular Input - 401 Client Unauthorized

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector