I got some problems with refreshing the access token of the Splunk addon for box. I don't know if this should be normally done by the addon?
So every hour my connection to box fails and i have to restart splunk manually to get it working again. My goal is to monitoring box 24/7.
Currently as a workaround i'am trying to search for errors in logs and restart splunk with a script, but even this is not working. As i see the addon is stopping to write into the logs and thats why my alert for searching terms like "error, refresh token" is not triggered.
I got no response of this serverlogs since 4 hours. Sometimes its working overnight. Sometime snot
Any help is appreciated!
Regards
index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" error
2016-01-22 10:37:26,760 ERROR 140673298708224 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=1453446926495;7f7aac36-5e11-488f-b343-9b24eda9e381&created_after=2016-01-22T07:58:05-00:00&created_before=2016-01-22T09:37:26-00:00, reason=Unauthorized,
2016-01-22 10:37:22,299 ERROR 140673307100928 - Failed to connect https://api.box.com/2.0/folders/0/items?limit=500&offset=0&fields=type,id,name,size,sequence_id,etag,item_status,permissions,created_at,modified_at,has_collaborations,can_non_owners_invite,tags,created_by,modified_by,parent, reason=Unauthorized,
2016-01-22 10:36:57,317 ERROR 140673315493632 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=1453446926495;7f7aac36-5e11-488f-b343-9b24eda9e381&created_after=2016-01-22T07:58:05-00:00&created_before=2016-01-22T09:36:56-00:00, reason=Unauthorized,
2016-01-22 10:36:50,362 ERROR 140673323886336 - Failed to connect https://api.box.com/2.0/groups?limit=500&offset=0, reason=Unauthorized,
index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token
2016-01-22 10:37:27,119 INFO 140673298708224 - End of refreshing access token.
2016-01-22 10:37:26,760 INFO 140673298708224 - Access token has been expired, refreshing
2016-01-22 10:37:22,300 INFO 140673307100928 - Access token has been expired, refreshing
2016-01-22 10:36:57,318 INFO 140673315493632 - Access token has been expired, refreshing
2016-01-22 10:36:50,362 INFO 140673323886336 - Access token has been expired, refreshing
2016-01-22 10:36:49,102 INFO 140673332279040 - End of refreshing access token.
2016-01-22 10:36:48,361 INFO 140673332279040 - Access token has been expired, refreshing
2016-01-22 08:57:37,868 INFO 140442830190336 - Access token has been expired, refreshing
my alerts are working...sometimes
source = /opt/splunk/var/log/splunk/python.log
2016-01-22 10:37:27,376 +0100 INFO runshellscript:188 - runshellscript: ['/bin/bash', '/opt/splunk/bin/scripts/restarttest', '1', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'error access token refresh', 'Saved Search [error access token refresh] always(1)', 'https://newbox:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now', '', '/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0/per_result_alert/tmp_0.csv.gz']
2016-01-22 10:37:27,375 +0100 INFO runshellscript:129 - ['/opt/splunk/bin/scripts/restarttest', '1', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token', 'error access token refresh', 'Saved Search [error access token refresh] always(1)', 'https://newbox:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now', '', '/opt/splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__RMD563f61171f01b63e4_at_1453455387_1.0/per_result_alert/tmp_0.csv.gz']
Looking at those logs, it looks like you don't have permission to reauthorize. DEBUG level logging would probably clarify that. A fairly common issue is picking up your personal account from a browser cookie or something instead of the service account that you meant to use, maybe try a different browser than you usually use when setting it up?
tried with a new browser and set up new- debug log lvl:
host = newbox source = /opt/splunk/var/log/splunk/ta_box.log sourcetype = ta_box.log.save
2016-01-25 17:51:15,135 ERROR 139793822406400 - Failed to connect https://api.box.com/2.0/events?stream_type=admin_logs&limit=500&stream_position=0&created_after=2015-05-31T13:04:20-00:00&created_before=2015-06-01T13:04:20-00:00, reason=Unauthorized,
1/25/16
5:51:13.199 PM
2016-01-25 17:51:13,199 ERROR 139793830799104 - Failed to connect https://api.box.com/2.0/folders/0/items?limit=500&offset=0&fields=type,id,name,size,sequence_id,etag,item_status,permissions,created_at,modified_at,has_collaborations,can_non_owners_invite,tags,created_by,modified_by,parent, reason=Unauthorized,
1/25/16
5:50:45.220 PM
2016-01-25 17:50:45,220 ERROR 139793839191808 - Failed to connect https://api.box.com/2.0/users?limit=500&offset=0&fields=type,id,name,login,created_at,modified_at,role,timezone,space_amount,space_used,max_upload_size,can_see_managed_users,is_external_collab_restricted,status,job_title,phone,address,avatar_url,is_exempt_from_device_limits,is_exempt_from_login_verification,enterprise,my_tags, reason=Unauthorized,
1/25/16
5:50:31.161 PM
2016-01-25 17:50:31,161 ERROR 139793847584512 - Failed to connect https://api.box.com/2.0/groups?limit=500&offset=0, reason=Unauthorized,
index="_internal" source="/opt/splunk/var/log/splunk/ta_box.log" token
1/25/16
5:51:15.135 PM
2016-01-25 17:51:15,135 INFO 139793822406400 - Access token has been expired, refreshing
1/25/16
5:51:13.199 PM
2016-01-25 17:51:13,199 INFO 139793830799104 - Access token has been expired, refreshing
1/25/16
5:50:45.221 PM
2016-01-25 17:50:45,221 INFO 139793839191808 - Access token has been expired, refreshing
1/25/16
5:50:31.715 PM
2016-01-25 17:50:31,715 INFO 139793847584512 - End of refreshing access token.
1/25/16
5:50:31.675 PM
2016-01-25 17:50:31,675 DEBUG 139793847584512 - end https://api.box.com/oauth2/token
1/25/16
5:50:31.161 PM
2016-01-25 17:50:31,161 DEBUG 139793847584512 - start https://api.box.com/oauth2/token
1/25/16
5:50:31.161 PM
2016-01-25 17:50:31,161 INFO 139793847584512 - Access token has been expired, refreshing
Hey Adrian, running into similar issue - can you please share how you got around this problem?
Thanks!
hey thx for your reply - i'am testing it. Is this Addon used to handle the refresk tokens automatically or not?