Http logs collector example not working

MMenachem · ‎05-08-2022

Hi
hope this is the right place to ask this question
We were given a temp user to play around with the Cortex XDR and we are trying to insert some dummy data into it.

I am trying to insert data using an Http logs collector, following this guide
unfortunately, the example in the guide seems to be incorrect.

I created a custom collector of HTTP type and got an API key.

the comparison is "gzip" and the log format is "JSON" (but also tried RAW and CEF)

the API URL is: https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event

when pressing "View Example" I'm given the following code:
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H 'Authorization: {api_key}' -H 'Content-Type: text/plain' -d '{"example1": "test", "timestamp": 1609100113039}
{"example2": [12321,546456,45687,1]}'

1.The given CURL is not valid on windows. need to change all single quote to double quotes

2. when fixing this and sending this CURL

curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
(the "{api_key}" is replaced by the actual key)
I'm getting error code 500 and message: " {"error":"error processing request, error: failed to process the request"}

Full log:
C:\Users\AmirD>curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 35.222.81.194:443...
* Connected to api-nl.xdr.us.paloaltonetworks.com (35.222.81.194) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> POST /logs/v1/event HTTP/1.1
> Host: api-nl.xdr.us.paloaltonetworks.com
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization:Mjp5cmYzVHVFUk5sOWJvSnR3SlR0TWppakxNQ21mUmMxM0F6dG12VlVzbEFSNUdVSmFVRzUyQVl0MFRjMzhxcGJvUnc3WFhxYkdoNUxFMHpWSlp1Sm5GenRaWjVCTER4RHQ4Q1VDUzJ0ZDA4akVZWVBlWkJKRVIwUFNFWmtQcDlCNQ==
> Content-Type:text/plain
> Content-Length: 78
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 08 May 2022 14:31:04 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 74
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
{"error":"error processing request, error: failed to process the request"}* Connection #0 to host api-nl.xdr.us.paloaltonetworks.com left intact

Also tried sending a request from POSTMAN - same result.
tried to send content type as text/plain and as application/json - no luck.
tried to change the HTTP collector to CEF format and send the following text:
"CEF:0|NL|NLMOT|1.0.0.0|Executable Code was Detected|Advanced exploit detected|100|src=192.168.255.110 spt=46117 dst=172.25.212.204 dpt=80" but no luck

What am I doing wrong? who can assist us with this error?

thanks

bbarmanroy · ‎05-09-2022

Hi @MMenachem ,

Here's what I tried :

Set up a HTTP Collector

I was able to send some data with Postman (see my configuration below)

And using native curl (also generated from Postman):

And with Powershell native requests (also generated from Postman):

Here's the data when queried from XQL:

I recommend you to review your configuration - I'd start with Postman and then build your use cases from there. The example curl command in the tenant is for Linux - the curl provided in Windows is actually a powershell cmdlet alias.

Unlock your full community experience!

Http logs collector example not working

Http logs collector example not working

Show your appreciation!