search cancel

Splunk not receiving logs via SyncAPI from additional Web Security Service tenants

book

Article ID: 175715

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

There is a single Splunk instance that is using the SyncAPI function to request logs from more than one Web Security Service (WSS) tenant (account). The Splunk instance has been able to pull logs from one WSS tenant, but not the other(s). Reception of API requests for both WSS instances with corresponding credentials is confirmed.

Environment

Web Security Service 

Cause

A Splunk instance places the same token in the API requests regardless of the WSS tenant from which it is requesting the logs. The requests for the tenant from which logs are not being retrieved get rejected because they have the same token as the requests for logs from the tenant from which logs are being retrieved, but with different credentials.

Resolution

Possible solutions would be to write custom scripts to request the logs from Splunk (without using the WSS plugin) or have them requested from a different Splunk instance.

See documentation about the SyncAPI function for further information on its format: Web Security Service: Near Real-Time Log Sync Brief