I am setting up to "Cisco AMP for Endpoints Events Input" on windows 2016.
I think the following 3 credentials are correct because I can retrieve information using curl command with these credential.
-AMP for Endpoints API Host
-API Client ID
After I input the following credentials, I select "New Input" tab, The following message appears:
"Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials."
Did I miss some setting?
Please advise me about the possible cause.
Have a look into the logfile (in our install, this was the path, you might have to look for it) /opt/splunk/var/log/splunk/amp4e_events_input.log
look for SSL-errors (supposedly someone screwed up the certificate-handling when packing this app)
did the Handshake-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/5
did the ssl-shared-options-fix mentioned here: https://github.com/Cisco-AMP/amp4e_splunk_events_input/issues/12
This atleast got the log to connect and say " INFO Amp4eEvents - Connected. Starting to consume."
Try setting API Host should to api.eu.amp.cisco.com.
seems like the same issue as : https://answers.splunk.com/answers/697574/how-to-configure-cisco-amp-for-endpoints-events-in.html
You would probably be better off posting to Cisco forums.
Okay. Thanks for advice.