PSC: CB Defense Syslog connector returning 401 errors
search cancel

PSC: CB Defense Syslog connector returning 401 errors

book

Article ID: 285615

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • 401 errors showing in /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log 
    INFO:__main__:Handling notifications for https://<API_URL>
INFO:__main__:Attempting to connect to url: https://<API_URL>
INFO:__main__:connectorID = 111111111
INFO:__main__:<Response [401]>
WARNING:__main__:Authentication failed check config file for proper Connector ID and API key
    __main__ - INFO - Found 1 Cb Defense Servers in config file
__main__ - INFO - Handling notifications for https://<API_URL>
__main__ - INFO - Attempting to connect to url: https://<API_URL>
__main__ - INFO - connectorID = 111111111
__main__ - INFO - <Response [401]>
__main__ - WARNING - Received unexpected (or no) response from Cb Defense Server https://<API_URL>. Proceeding to next connector

Environment

  • PSC Console: All Versions
    • CB Defense
    • CB ThreatHunter
  • CB Defense Syslog Connector
    • Linux: All Supported Versions

Cause

  • API ID (formerly Connector ID) and/or API Secret Key (formerly API Key) set incorrectly in cb-defense-syslog.conf
  • Authorized IP incorrect (Settings > API Keys)
  • API Key not set as a Subscriber on any Notifications (Settings > Notifications)

Resolution

1. Check configuration on Linux Receiver

  1. Open /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf
  2. Verify API ID is set correctly 
    #
# CB Defense Connector ID
#
connector_id = {API_ID}
  3. Verify API Secret Key is set correctly 
    #
# CB Defense API Key
#
api_key = {API_SECRET_KEY}
  4. Verify Server URL is set correctly 
    #
# CB Defense Server URL
# NOTE: this is not the url to the web ui, but to the url of sensor checkins
#
server_url = https://<API_URL>

2. Verify settings in PSC Console

  1. Go to Settings > API Keys (formerly Settings > Connectors)
  2. Find the correct API Key (Access Level: SIEM)
  3. Remove any entries in Authorized IP
  4. Verify API ID (formerly Connector ID)
  5. Verify API Secret Key (formerly API Key) by clicking down-arrow at far-right and selecting API Credentials
  6. Go to Settings > Notifications
  7. Ensure the API ID is set as a Subscriber on at least one Notification (add to or create one if necessary)

3. Run the connector on the Linux Receiver

  1. Run the connector as root 
    /usr/share/cb/integrations/cb-defense-syslog/cb-defense-syslog --config-file /etc/cb/integrations/cb-defense-syslog/cb-defense-syslog.conf --log-file /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log
  2. Check cb-defense-syslog.log 
    cat /var/log/cb/integrations/cb-defense-syslog/cb-defense-syslog.log
  3. Log should now reflect a 200 response 
    INFO:__main__:Handling notifications for https://api-eap01.conferdeploy.net
INFO:__main__:Attempting to connect to url: https://api-eap01.conferdeploy.net
INFO:__main__:connectorID = ABCDE12345
INFO:__main__:<Response [200]>
INFO:__main__:sessionId = 123-123456ABCDEF
INFO:__main__:<Response [200]>
INFO:__main__:successfully connected, no alerts at this time
INFO:__main__:There are no messages to forward to host

Additional Information

If the above steps do not resolve the 401 errors, please Open a Support Case noting the troubleshooting steps taken in this article.
Powered by Wolken Software