- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Cybereason for Splunk - no data coming through, no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cybereason for Splunk - no data coming through, no errors in logs
Hi,
I've done a clean Splunk Enterprise 7.1 install on CentOS 7 and Splunk itself is working correctly.
Following the instructions for installing Cybereason for Splunk to my existing Cybereason instance using credentials that I'm working on, there is no data being pulled in, and I can find no errors anywhere. Health dashboard just has no data. I have install the Input Add on as well as per instructions.
Any ideas if there is anything wrong? I can see the server contacting the Cybereason instance every 300 seconds as configured, but can't tell what it's pulling in (nothing if I believe what's in the index).
Is there a special CR user I need to be connecting with (API user?) or should any user be fine?
Any help would be great.
Thanks
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pkellyz , my issue was the account I was using had MFA enabled. Once I used a non-api account with MFA disabled, it worked fine. So @timm747747 was correct for my issue.,@pkellyz, the problem I had was the user had MFA enabled. I had another non-api user account with no MFA and all worked perfectly fine. I haven't done anything with it since though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@chrispols Did you even figure out what was going on with your Cybereason app for Slunk? If so, where did you receive assistance? I'm getting a bit of a runaround from Cybereason support and I'm at my wits end.
Mine was setup and working but stopped working. I assumed the most likely cause was a changed password on the user account used in the modular input. I created a dedicated API user in the Cybereason dashboard to prevent this from happening in the future and updated the creds in the app.
However I am getting an error in the logs:
message="unknown Exception No JSON object could be decoded:
I assumed this means the data being returned by the API isn't valid. CR support is telling me it's an authentication issue! (????)
Anything you can provide or suggest is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any user should be fine as long as you don't have MFA setup for the user in CR. I have the IA setup on my HF, the App on my SH's and the TA on my indexers. I don't use the "api user".
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
