All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco AMP for Endpoints Events Input: Cannot retrieve data despite correct credential input

ksakagaw
Explorer
‎06-15-2019 09:46 AM

Hello,

I am setting up to "Cisco AMP for Endpoints Events Input" on windows 2016.
I think the following 3 credentials are correct because I can retrieve information using curl command with these credential.

-AMP for Endpoints API Host
-API Client ID
-API Key

After I input the following credentials, I select "New Input" tab, The following message appears:

"Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials."

Did I miss some setting?
Please advise me about the possible cause.

Best Regards

Reply
1 Solution
Solved! Jump to solution
Solution

alindkvist
Engager
‎06-26-2019 01:33 AM

Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log

look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)

did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5

did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12

This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."

View solution in original post

Reply
Solved! Jump to solution
Solution

alindkvist
Engager
‎06-26-2019 01:33 AM

Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log

look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)

did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5

did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12

This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-18-2019 01:46 AM

Hi @ksakagaw,

Try setting API Host should to api.eu.amp.cisco.com.

seems like the same issue as : https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-15-2019 04:15 PM

You would probably be better off posting to Cisco forums.

0 Karma
Reply
Solved! Jump to solution

ksakagaw
Explorer
‎06-15-2019 06:39 PM

Okay. Thanks for advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...