Status code 400 "Server failed to fulfill the request"
search cancel

Status code 400 "Server failed to fulfill the request"

book

Article ID: 206365

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The splunk log collector is receiving error code 400 when trying to pull the logs from Cloud Secure Web Gateway Rest API.

2021-01-11 14:10:46,070 INFO 140160265734080 - SWSS: Starting data collection...
2021-01-11 14:10:46,355 ERROR 140160265734080 - 2021-01-11 14:10:46 status=error, msg='Server failed to fulfill the request', code='400'
2021-01-11 14:11:46,067 INFO 140317862344640 - SWSS: Starting data collection...
2021-01-11 14:11:46,800 ERROR 140317862344640 - 2021-01-11 14:11:46 status=error, msg='Server failed to fulfill the request', code='400'

Manually downloading the logs from the Portal appears to be fine.

Environment

Cloud Secure Web Gateway
Splunk SIEM solution collecting logs using SyncAPI
Splunk WSS plugin downloaded and leveraged

Cause

Cause# 1:

In this issue, what was happening is that the API start date for 1st call is more than 30 days out – the start date is July 1 (can look at startDate parameter and use Epoch calculator to determine) and end date is 0 (now). The 400 messages returned is stating that the message date range between startDate and endDate is too big.

The Expected value was within 30 days but got: 194 for customer xxxx.

Just need to change the start date.

[07/Jan/2021:22:48:47 +0000] "GET /reportpod/logs/sync?startDate=1593561600000&endDate=0&token=none HTTP/1.1" 400 609 "-" "Python-urllib/2.7" 0.069607 x.x.x.x:8080 "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

Note: 1593561600000 corresponds to July 1 at 12 noon UTC.

Cause# 2:

In a few cases, the start date was defined as expected, within the time range. However, Splunk still keeps showing error code 400. This is usually noticed after Splunk version update/upgrade.  The information available from WSS shows the same error HTTP 400 but this time start date is not the real cause.

[25/Jan/2022:19:38:15 +0000] "GET /reportpod/logs/sync?startDate=1643126400000&endDate=0&token=###################################### HTTP/1.1" 400 608 "-" "Python-urllib/2.7" 0.407237 x.x.x.x:8080 "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"

Resolution

  1. Change the start time from the SyncAPI client request to be within 30 days of the current time which will resolve cause#1. If that does not work follow step 2. 
  2. Follow the process shown  below to reset WSS SyncAPI Token on Splunk
    • Disable current Data input for WSS.
    • Find "sync.token" file (on Linux server: find / -iname "sync.token") and rename it to some other name(example ".old"). That will reset the token.
    • Add new WSS data input and configure it with a start date and other data.
    • Check and confirm data is being downloaded now. 

Additional Information

The issue is the Splunk TA app. The customer recreated the Splunk App, and the start date, token and other parameters were not updated.

Powered by Wolken Software