This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Http logs collector example not working

MMenachem
L0 Member

‎05-08-2022 07:51 AM

Hi
hope this is the right place to ask this question
We were given a temp user to play around with the Cortex XDR and we are trying to insert some dummy data into it.

I am trying to insert data using an Http logs collector, following this guide
unfortunately, the example in the guide seems to be incorrect.

 
I created a custom collector of HTTP type and got an API key.
the comparison is "gzip" and the log format is "JSON" (but also tried RAW and CEF)

when pressing "View Example" I'm given the following code:
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H 'Authorization: {api_key}' -H 'Content-Type: text/plain' -d '{"example1": "test", "timestamp": 1609100113039}
{"example2": [12321,546456,45687,1]}'

1.The given CURL is not valid on windows. need to change all single quote to double quotes
2. when fixing this and sending this CURL
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
(the "{api_key}" is replaced by the actual key)
I'm getting error code 500 and message: " {"error":"error processing request, error: failed to process the request"}

Full log:
C:\Users\AmirD>curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 35.222.81.194:443...
* Connected to api-nl.xdr.us.paloaltonetworks.com (35.222.81.194) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> POST /logs/v1/event HTTP/1.1
> Host: api-nl.xdr.us.paloaltonetworks.com
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization:Mjp5cmYzVHVFUk5sOWJvSnR3SlR0TWppakxNQ21mUmMxM0F6dG12VlVzbEFSNUdVSmFVRzUyQVl0MFRjMzhxcGJvUnc3WFhxYkdoNUxFMHpWSlp1Sm5GenRaWjVCTER4RHQ4Q1VDUzJ0ZDA4akVZWVBlWkJKRVIwUFNFWmtQcDlCNQ==
> Content-Type:text/plain
> Content-Length: 78
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 08 May 2022 14:31:04 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 74
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
{"error":"error processing request, error: failed to process the request"}* Connection #0 to host api-nl.xdr.us.paloaltonetworks.com left intact

Also tried sending a request from POSTMAN - same result.
tried to send content type as text/plain and as application/json - no luck.
tried to change the HTTP collector to CEF format and send the following text: 
"CEF:0|NL|NLMOT|1.0.0.0|Executable Code was Detected|Advanced exploit detected|100|src=192.168.255.110 spt=46117 dst=172.25.212.204 dpt=80"  but no luck

What am I doing wrong? who can assist us with this error?

thanks
1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks