cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Http logs collector example not working

L0 Member

Hi
hope this is the right place to ask this question
We were given a temp user to play around with the Cortex XDR and we are trying to insert some dummy data into it.

I am trying to insert data using an Http logs collector, following this guide
unfortunately, the example in the guide seems to be incorrect.

 
I created a custom collector of HTTP type and got an API key.
the comparison is "gzip" and the log format is "JSON" (but also tried RAW and CEF)

when pressing "View Example" I'm given the following code:
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H 'Authorization: {api_key}' -H 'Content-Type: text/plain' -d '{"example1": "test", "timestamp": 1609100113039}
{"example2": [12321,546456,45687,1]}'

1.The given CURL is not valid on windows. need to change all single quote to double quotes
2. when fixing this and sending this CURL
curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
(the "{api_key}" is replaced by the actual key)
I'm getting error code 500 and message: " {"error":"error processing request, error: failed to process the request"}

Full log:
C:\Users\AmirD>curl -X POST https://api-nl.xdr.us.paloaltonetworks.com/logs/v1/event -H "Authorization:{api_key}" -H "Content-Type:text/plain" -d "{"example1": "test", "timestamp": 1609100113039}\n{"example2": [12321,546456,45687,1]}" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 35.222.81.194:443...
* Connected to api-nl.xdr.us.paloaltonetworks.com (35.222.81.194) port 443 (#0)
* schannel: disabled automatic use of client certificate
* schannel: ALPN, offering http/1.1
* schannel: ALPN, server accepted to use http/1.1
> POST /logs/v1/event HTTP/1.1
> Host: api-nl.xdr.us.paloaltonetworks.com
> User-Agent: curl/7.79.1
> Accept: */*
> Authorization:Mjp5cmYzVHVFUk5sOWJvSnR3SlR0TWppakxNQ21mUmMxM0F6dG12VlVzbEFSNUdVSmFVRzUyQVl0MFRjMzhxcGJvUnc3WFhxYkdoNUxFMHpWSlp1Sm5GenRaWjVCTER4RHQ4Q1VDUzJ0ZDA4akVZWVBlWkJKRVIwUFNFWmtQcDlCNQ==
> Content-Type:text/plain
> Content-Length: 78
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 08 May 2022 14:31:04 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 74
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains
<
{"error":"error processing request, error: failed to process the request"}* Connection #0 to host api-nl.xdr.us.paloaltonetworks.com left intact

Also tried sending a request from POSTMAN - same result.
tried to send content type as text/plain and as application/json - no luck.
tried to change the HTTP collector to CEF format and send the following text: 
"CEF:0|NL|NLMOT|1.0.0.0|Executable Code was Detected|Advanced exploit detected|100|src=192.168.255.110 spt=46117 dst=172.25.212.204 dpt=80"  but no luck

What am I doing wrong? who can assist us with this error?

thanks
Who Me Too'd this topic