All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco AMP for Endpoints Events Input: Cannot retrieve data despite correct credential input

ksakagaw
Explorer
‎06-15-2019 09:46 AM

Hello,

I am setting up to "Cisco AMP for Endpoints Events Input" on windows 2016.
I think the following 3 credentials are correct because I can retrieve information using curl command with these credential.

-AMP for Endpoints API Host
-API Client ID
-API Key

After I input the following credentials, I select "New Input" tab, The following message appears:

"Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials."

Did I miss some setting?
Please advise me about the possible cause.

Best Regards

Reply
1 Solution
Solved! Jump to solution
Solution

alindkvist
Engager
‎06-26-2019 01:33 AM

Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log

look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)

did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5

did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12

This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."

View solution in original post

Reply
Solved! Jump to solution
Solution

alindkvist
Engager
‎06-26-2019 01:33 AM

Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log

look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)

did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5

did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12

This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."

Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-18-2019 01:46 AM

Hi @ksakagaw,

Try setting API Host should to api.eu.amp.cisco.com.

seems like the same issue as : https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-15-2019 04:15 PM

You would probably be better off posting to Cisco forums.

0 Karma
Reply
Solved! Jump to solution

ksakagaw
Explorer
‎06-15-2019 06:39 PM

Okay. Thanks for advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...