Http logs collector example not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Http logs collector example not working

L0 Member

Hi
hope this is the right place to ask this question
We were given a temp user to play around with the Cortex XDR and we are trying to insert some dummy data into it.

I am trying to insert data using an Http logs collector, following this guide
unfortunately, the example in the guide seems to be incorrect.

 
I created a custom collector of HTTP type and got an API key.
the comparison is "gzip" and the log format is "JSON" (but also tried RAW and CEF)

when pressing "View Example" I'm given the following code:
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H 'Authorization: {api_key}' -H 'Content-Type: text/plain' -d '{"example1": "test", "timestamp": 1609100113039}
{"example2": [12321,546456,45687,1]}'

1.The given CURL is not valid on windows. need to change all single quote to double quotes
2. when fixing this and sending this CURL
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
(the "{api_key}" is replaced by the actual key)
I'm getting error code 500 and message: " {"error":"error processing request, error: failed to process the request"}

Full log:
C:\Users\AmirD>curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 35.222.81.194:443...
* Connected to api-nl.xdr.us.paloaltonetworks.com (35.222.81.194) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> POST /logs/v1/event HTTP/1.1
> Host: api-nl.xdr.us.paloaltonetworks.com
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization:Mjp5cmYzVHVFUk5sOWJvSnR3SlR0TWppakxNQ21mUmMxM0F6dG12VlVzbEFSNUdVSmFVRzUyQVl0MFRjMzhxcGJvUnc3WFhxYkdoNUxFMHpWSlp1Sm5GenRaWjVCTER4RHQ4Q1VDUzJ0ZDA4akVZWVBlWkJKRVIwUFNFWmtQcDlCNQ==
> Content-Type:text/plain
> Content-Length: 78
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 08 May 2022 14:31:04 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 74
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
{"error":"error processing request, error: failed to process the request"}* Connection #0 to host api-nl.xdr.us.paloaltonetworks.com left intact

Also tried sending a request from POSTMAN - same result.
tried to send content type as text/plain and as application/json - no luck.
tried to change the HTTP collector to CEF format and send the following text: 
"CEF:0|NL|NLMOT|1.0.0.0|Executable Code was Detected|Advanced exploit detected|100|src=192.168.255.110 spt=46117 dst=172.25.212.204 dpt=80"  but no luck

What am I doing wrong? who can assist us with this error?

thanks
1 REPLY 1

L5 Sessionator

Hi @MMenachem , 

Here's what I tried :

Set up a HTTP Collector

bbarmanroy_0-1652157321280.png

 

I was able to send some data with Postman (see my configuration below)

bbarmanroy_1-1652157372885.pngbbarmanroy_2-1652157427375.png

 

And using native curl (also generated from Postman):

bbarmanroy_3-1652157539022.png

 

And with Powershell native requests (also generated from Postman):

bbarmanroy_4-1652157601050.png

 

 

Here's the data when queried from XQL:

bbarmanroy_5-1652157649057.png

 

 

I recommend you to review your configuration - I'd start with Postman and then build your use cases from there. The example curl command in the tenant is for Linux - the curl provided in Windows is actually a powershell cmdlet alias.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!