Splunk Dev

How to collect event log from SEPC?

holm_arsene
Engager

I have been tried to export and collect event log from SEPC to my internal Splunk since last week. Firstly, I found error :

"requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)"

So, I solved this problem by add more parameter (verify=False at "requests,post" method) , after that error disappeared. However, I did not found any event log in my Splunk.

I have been searched the solution of this problem for 2 weeks, and cannot found any solution. So, please let me know,
can you collect and forward event log from Symantec cloud to your Splunk ? and
Could you please to solve this problem for me ?

This is script:

r3_url = "https://usea1.r3.securitycloud.symantec.com/r3_epmp_i"
oauth_url = "/oauth2/tokens"
#export_api = "/sccs/v1/events/export"
export_api = "/sccs/v1/events/export HTTP/1.1"
#CONFIG_INI = os.path.join('/Applications/Splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
CONFIG_INI = os.path.join('/opt/splunk/', 'bin', 'scripts', 'SEPCloudConfig.ini')
START_DATE = 'start_date'
END_DATE = 'end_date'
CONFIG_EVENTS_SECTION = 'Events'
BATCH_SIZE = 'batch_size'
TYPE = 'event_type_filter'
CONFIG_AUTHENTICATION_SECTION = 'Authentication'
CLIENT_ID = 'client_id'
CLIENT_SECRET = 'client_secret'


def get_oauth_token(client_id, client_secret):

    headers = build_base_headers()
    headers.update({"Content-Type": "application/x-www-form-urlencoded"})

    token = b64encode(client_id + ":" + client_secret).decode("ascii")
    headers.update({"Authorization": "Basic " + token})
    params = {'grant_type': 'client_credentials'}

    response = requests.post("%s%s" % (r3_url, oauth_url),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == 200:
        data = response.json()

    return None


# Function to export events
def export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret):

    data = None

    headers = build_base_headers()
    headers.update({"Content-Type": "application/json"})
    headers.update({"Authorization": token})

    keys = ["type", "batchSize", "startDate", "endDate"]
    values = [event_type, int(batch_size), start_date, end_date]

    params = {}
    for index in range(len(keys)):
        params[keys[index]] = values[index]

    params = json.dumps(params)
    response = requests.post("%s%s" % (r3_url, export_api),
                             headers=headers,
                             data=params, verify=False)

    if response.status_code == requests.codes.ok:
        data = response.json()

    # TODO: To Test
    elif response.status_code == 401:
        token = get_oauth_token(client_id, client_secret)
        export_events(token, event_type, batch_size, start_date, end_date, client_id, client_secret)

    return data

Please help me. Thank you so much.

Labels (1)
Tags (2)

nagendra1111
New Member

@holm_arsene are you able to fetch logs?
i am also facing same problem.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Converted from answer to https://answers.splunk.com/answers/635384/symantec-cloud-scripted-input.html#answer-719709

---
If this reply helps you, Karma would be appreciated.
0 Karma

marend
Explorer

Splunkers, anyone got this data onboarded  to Splunk? If so, would you mind to share feedback or docs.

 

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...