Http logs collector example not working

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Http logs collector example not working

L0 Member

hope this is the right place to ask this question
We were given a temp user to play around with the Cortex XDR and we are trying to insert some dummy data into it.

I am trying to insert data using an Http logs collector, following this guide
unfortunately, the example in the guide seems to be incorrect.

I created a custom collector of HTTP type and got an API key.
the comparison is "gzip" and the log format is "JSON" (but also tried RAW and CEF)

when pressing "View Example" I'm given the following code:
curl -X POST -H 'Authorization: {api_key}' -H 'Content-Type: text/plain' -d '{"example1": "test", "timestamp": 1609100113039}
{"example2": [12321,546456,45687,1]}'

1.The given CURL is not valid on windows. need to change all single quote to double quotes
2. when fixing this and sending this CURL
curl -X POST -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
(the "{api_key}" is replaced by the actual key)
I'm getting error code 500 and message: " {"error":"error processing request, error: failed to process the request"}

Full log:
C:\Users\AmirD>curl -X POST -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying
* Connected to ( port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> POST /logs/v1/event HTTP/1.1
> Host:
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type:text/plain
> Content-Length: 78
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 08 May 2022 14:31:04 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 74
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
{"error":"error processing request, error: failed to process the request"}* Connection #0 to host left intact

Also tried sending a request from POSTMAN - same result.
tried to send content type as text/plain and as application/json - no luck.
tried to change the HTTP collector to CEF format and send the following text: 
"CEF:0|NL|NLMOT||Executable Code was Detected|Advanced exploit detected|100|src= spt=46117 dst= dpt=80"  but no luck

What am I doing wrong? who can assist us with this error?


L5 Sessionator

Hi @MMenachem , 

Here's what I tried :

Set up a HTTP Collector



I was able to send some data with Postman (see my configuration below)



And using native curl (also generated from Postman):



And with Powershell native requests (also generated from Postman):




Here's the data when queried from XQL:




I recommend you to review your configuration - I'd start with Postman and then build your use cases from there. The example curl command in the tenant is for Linux - the curl provided in Windows is actually a powershell cmdlet alias.



  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!