- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- How to collect event log from SEPC?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to collect event log from SEPC?
I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :
"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"
So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.
I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?
This is script:
r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'
def get_oauth_token(client_id, client_secret):
headers = build_base_headers()
headers.update({"Content-Type": "application/x-www-form-urlencoded"})
token = b64encode(client_id + ":" + client_secret).decode("ascii")
headers.update({"Authorization": "Basic " + token})
params = {'grant_type': 'client_credentials'}
response = requests.post("%s%s" % (r3_url, oauth_url),
headers=headers,
data=params, verify=False)
if response.status_code == 200:
data = response.json()
return None
# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):
data = None
headers = build_base_headers()
headers.update({"Content-Type": "application/json"})
headers.update({"Authorization": token})
keys = ["type", "batchSize", "startDate", "endDate"]
values = [event_type, int(batch_size), start_date, end_date]
params = {}
for index in range(len(keys)):
params[keys[index]] = values[index]
params = json.dumps(params)
response = requests.post("%s%s" % (r3_url, export_api),
headers=headers,
data=params, verify=False)
if response.status_code == requests.codes.ok:
data = response.json()
# TODO: To Test
elif response.status_code == 401:
token = get_oauth_token(client_id, client_secret)
export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)
return data
Please help me. Thank you so much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@holm_arsene are you able to fetch logs?
i am also facing same problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunkers, anyone got this data onboarded to Splunk? If so, would you mind to share feedback or docs.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
