Splunk Web Security Sservice log collection is returning 400 error using SyncAPI

book

Article ID: 206365

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Splunk log collector is receiving error code 400 when trying to pull the logs from Web Security Service(WSS):

2021-01-11 14:10:46,070 INFO 140160265734080 - SWSS: Starting data collection...
2021-01-11 14:10:46,355 ERROR 140160265734080 - 2021-01-11 14:10:46 status=error, msg='Server failed to fulfill the request', code='400'
2021-01-11 14:11:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2021-01-11 14:11:46,800 ERROR 140317862344640 - 2021-01-11 14:11:46 status=error, msg='Server failed to fulfill the request', code='400'

Manually downloading the logs from the Portal appears to be fine.

Cause

What is happening is that the API start date for 1st call is more than 30 days out – the start date is July 1 (can look at startDate parameter and using Epoch calculator at https://www.epochconverter.com/ to determine) and end date is 0 (now). The 400 message returned is stating that

message Date range between startDate and endDate is too big. Expected value within 30 days but got: 194 for customer xxxx

Just need to change the start date.

Here's a snippet of the information available from WSS when issue happens
24.14.11.129 - - [07/Jan/2021:22:48:47 +0000] "GET /reportpod/logs/sync?startDate=1593561600000&endDate=0&token=none HTTP/1.1" 400 609 "-" "Python-urllib/2.7" 0.069607 10.2.56.33:8080 "fxxxxxxx-cxxx-4xxx-80xx-xxxxxe6bbb96"

1593561600000 corresponds to July 1 at 12 noon UTC.

Environment

WSS

Splunk SIEM solution collecting logs using SyncAPI

Splunk WSS plugin downloaded and leveraged

Resolution

Change the start time from the SyncAPI client request to be within 30 days of current time

Additional Information

The issue is the splunk TA app. The customer recreated the splunk App, and the start date parameters wasn't updated.