Anonymous_User Absent Member.
Absent Member.
714 views

Re: Sentinel 7.0.1 REST API Event List


I patch my version Sentinel 7.0.1 to 7.0.2 and I tried to get my events
and correlated events always with my little script :


Code:
--------------------

BASIC_AUTH_VALUE=`echo -n "$USER_NAME_PARAM:$PASSWORD_PARAM" | base64`
BASIC_AUTH_HDR="Authorization : Basic $BASIC_AUTH_VALUE"
# echo "BASIC_AUTH_DIR : $BASIC_AUTH_HDR"

AUTH_RESPONSE=`curl -s -k -XPOST -H "$BASIC_AUTH_HDR" -H "Accept: application/json" "$PROTOCOL_PARAM://$HOST_NAME_PARAM:$PORT_PARAM/SentinelAuthServices/auth/tokens"`
# echo "AUTH_RESPONSE : $AUTH_RESPONSE"

SAML_AUTH_TOKEN=`echo "${AUTH_RESPONSE}" | sed -rn 's/\{"Token":"([^"]+)".+/\1/p'`
# echo "SAML_AUTH_TOKEN : $SAML_AUTH_TOKEN"

SAML_AUTH_HDR="Authorization : X-SAML $SAML_AUTH_TOKEN"
# echo "SAML_AUTH_HDR : $SAML_AUTH_HDR"


curl -k -XGET -H "$SAML_AUTH_HDR" -H "Accept: application/json" "$PROTOCOL_PARAM://$HOST_NAME_PARAM:$PORT_PARAM/SentinelRESTServices/objects/event?page=2&pagesize=1"

--------------------


Nobody can say me why it's doesn't work ? Or how he did to get all event
like in the web application ?


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
12 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anything in the server0.0.log file from the time of the attempt?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQiqUQAAoJEF+XTK08PnB5kU0QALSRmtNmmKSM/Qnnkkp8BDMp
VBh3uGPSkn1NJ1V11eLbasRG9XOBFDCB+7YSGLeE8yufCJ/DNo35Z9GK9HShe3/E
PjLwTxudLxgKNtq5xq+PHHwpHJD8QHjPZK+dyVxif2n806UsvIA7Gm57CNO2oD1t
rAsqYWtEv6y7myK3lJ12W1oXBPwAlllYvgDDueKXkoYYq6c94sGxaaTiA4q6AlA9
NadUAmrLzNIG5BtRDSv4kw1mddfj7Nhy+SWJvRkTCjNUtGVoEW3er3VXzKkoruEi
KNpuIE1MqR3bnQPBzoaZwIHg3ryETw/V/uaCkuyGsFAJYpInJwrYaTtkbN+X6R4L
xETW51msBux4qjZIWJCsb9PYstihje2ODtQjMETG425ntbn3yujb9+RSTKZWWIdn
h+Iu+CE2oIADseNfbn+5Ss/8zivSK0x00SD+LvwPtyy2I+ja5H+pkmkaA5O02yfX
/Qv/v3UeEqgWaRIl+qn9VqaQmJQ6vXBQvqf8bFHXYj4MZhNhz38fVcpdz0VDMoNy
l7bkvZQbf+3plb9qPTUtv+me3mCjN8AiOA8rm0FGLh9aT6HVz10AU7Ci5vAR9aZL
6x9SUjBeA7k2OtCXN+q05H9l0u1htSkoohUcBklmG+8tjVgrfeioLAAJ/65vKq4h
BeJ+R2ty7RUOAz5qISox
=yLRJ
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


>
> Anything in the server0.0.log file from the time of the attempt?
>


Here is an extract of logs when I do my request :


Code:
--------------------

Tue Oct 30 10:31:58 CET 2012|INFO|qtp840863278-275|esecurity.ccs.comp.audit.AuditLogger.execute
Audit High:: Action by user admin via Sentinel service Server object UserAuthentication method Authentication client 172.25.15.200 succeeded : User admin has authenticated to Sentinel, with XDAS taxonomy name: XDAS_AE_AUTHENTICATE_ACCOUNT, with extra tag map: {"dun":"admin","tuid":"1","rv45":"Sentinel:CEE8D190-E954-102F-A758-1C6F65094295"}
Tue Oct 30 10:31:58 CET 2012|INFO|qtp840863278-275|esecurity.base.util.JavaLoggingLog4jAppender.append
[Auth_Token_Created] Initiated from 172.25.15.200, Authenticated User admin
Tue Oct 30 10:31:58 CET 2012|INFO|qtp840863278-275|esecurity.ccs.comp.audit.AuditLogger.execute
Audit High:: Action by user admin via Sentinel service Server object AuthenticationServices method IssueSAMLToken client 172.25.15.200 succeeded : Issue SAML authorization token for user admin., with XDAS taxonomy name: XDAS_AE_CREATE_SESSION, with extra tag map: {"dun":"admin","tuid":"1","rv45":"Sentinel:CEE8D190-E954-102F-A758-1C6F65094295"}
Tue Oct 30 10:31:58 CET 2012|INFO|qtp840863278-275|esecurity.base.util.JavaLoggingLog4jAppender.append
REST Endpoint: Authentication token is created for admin.
Tue Oct 30 10:31:59 CET 2012|INFO|ActiveMQ Session Task|esecurity.ccs.comp.router.EventRouter.reportBatchStats
Sent 2 events (unknown bytes) in 2 batches on channel events_internal_route_no_channel over 104 sec, averaging 0.019 eps, unknown bytes per event, and 1 events/batch in component EventRouterServer.
Tue Oct 30 10:31:59 CET 2012|INFO|ActiveMQ Session Task|esecurity.ccs.comp.router.EventRouter.reportBatchStats
Sent 2 events (1,450 bytes) in 1 batches on channel gui_binary_event over 104 sec, averaging 0.019 eps, 725 bytes per event, and 2 events/batch in component EventRouterServer.
Tue Oct 30 10:31:59 CET 2012|INFO|ActiveMQ Session Task|esecurity.ccs.comp.router.EventRouter.reportBatchStats
Sent a total of 4 events and raw data records (unknown bytes) in 3 batches over 104 sec, averaging 0.038 per second, unknown bytes per event, and 1 events and raw data records/batch in component EventRouterServer.

--------------------


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I haven't tested this yet, but the first four events look like the
login, and the last three look like they are unrelated. The fourth
message looks like the completion of the first login, so lacking
anything else the log doesn't show much. What output do you get from
your script at this point, if anything?

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQkseMAAoJEF+XTK08PnB5xesQANRrIdM8mEpgnvEkP9CX+P3+
8ZvhZFNUlKPmDFCdBSdytM7Z3LlzdTJ0f1Tk8adHQWzQyL7W5fmdtzfmdqXY6Qum
dhDD1uz/UjojShXnksXBZZRDoYm9vLtoWskYYoVXNBwe2n0XhuqU7Na/Mfi+wnKb
3ygZ1+pdW/JCaInjItN/EdxbU2V2m9I0IBvrAGMcs9AJFV4oK+FbG4KIQDk/RQHW
RNKhz6TAabHPFtgrlh0WzymVeeR0q2l2V70SIGO180fcid0wpm8P/zPM4+Fj83Xf
+c+spfAFaeJnrMMR8Ow7hUcsRSCim0ILAIE+7ZlEPHBStv8snOa8iqDS9cOm49ah
0Sy3qiHc4k7CKvbemUSWPGNxQS4RZHuOhv4S5/5cM0joZXP1jKHNHxssFAM6Wohc
zNQ/SsqWQQYzPT1Zbjg6W0i4Vrie9jin44L2aOyH9HjUCWn+4ELepdQCZ4aPKgA8
t5UztfZmS7wpohA1bmYNfu1G1PqFWVVPQcG6D6FMzuXuf+3GjOUvNI9YN8/T5nTU
mRbUOhcdecxck6LCRIRFkGoTGb2dK//AchdXTi2QKIe/tu66A9y3LbEoXNyPW16J
znxsxwH12aHw6P25l8DiXJH17d1UKZf/0zRr3pO4HjMvrimlULhWUSn5tsbqhNNz
zR7456ZXVowzTKM5zn9X
=qmM4
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


ab;221599 Wrote:
>
> I haven't tested this yet, but the first four events look like the
> login, and the last three look like they are unrelated. The fourth
> message looks like the completion of the first login, so lacking
> anything else the log doesn't show much. What output do you get from
> your script at this point, if anything?
>


The output of my script:

Code:
--------------------

curl -v -k -XGET -H Authorization : X-SAML 1VlLc6pKEN77KyzO0jICPrESbw2gBg0a5eFjkxpgQAwvGRD1199BY06Sk5zHvZvDzunp6f66p+n+wNt/Dr5X3qMYu2FwRzE3NFVGgRlabuDcUZo6qHaof3q3GPoe2wUYozghimVyKMDds/SOSuOgG0Ls4m4AfYS7idlVgPzQZW/oLrweocqSeEexddtstxGsshxXrzYsu1Xt0DRdhY12s8mYkIV1hmhinCIpwAkMEnKGZtgqw1TppkpzXbbRbXA3TL29psr6FTbxRF1Bng/HvacnjILEDZAH0mSjoJjE+PR0W3undGvhruI6AUzSGL0EZeE7apMkUbdWy7LsJqvfhLFTYwnKGs3ViI6FXecb1StdDyNLCuzwshZgEAauCT33BPOoZZRsQqsMPCeM3WTjf2GaqTF0brqKDmbVZBrBN6r23cEZ3W9aegcyxrCKN5C5GpsjG8XkdlFZm0t31Lffuo3LUTWGAbbD2Mcf1n+GCAV75IURsqr4GtgV3O9b/CRbvVtkdqXA9FLs7tEkL8MImgi/3Ckyf99U+TFGtnt4cDGpPQuXzwVTPmCC87b2FieBXfskM6LrIJz8l+t6e1UXKzr0UtSrGMniIBzVUX1ituln2JGYwIPr7KCYd2cIb5UvoF5v+mX9sU5fy+rlEP0QtscDcatPN3uB4zlh129kxpK9X5yEeJscNMnb7nbQiKBi6gr0lBFsB/sJC+4Phh9KLTTgHCyCUAFcvwTqoh6l6X1nKIE+H3mSYdD0vOLAihTNtotoLVTCY1RR2el4dd+qqAPXMAennbYYbnb7xbQ9i5aG2j5V+mKjVWoAAYj75thPZ4uInk/2DXz3Paa3MeRxjdHxHGT+e9mkOREm8HUh5J3IJk9ngnqyJPFNVRCA1nJAJvHAkfra8P5xcQIT3nnebZ7dIZfRPJhpAyACVp5LWR+sRH02G/czr75ejE7r5YhdL6VDSRIB4p2JzgNZHdQnnhmsPdNlTutFk4aLpmcIzWdrKCcmy21lASxFtX+UxefjRO0z8kljJnq4Ek/SQValrDRVAfmhnSaqxiy2P/f8K8eld56loS0Deigou6EiGXVx1s/DA6AxnABR4N3ZmHdmomGcDquhs+WsPt5tbNV+PrRtx2h5pbakjIXEsd29nWSkqiOTS0+VDa1YylYYs8dKGs5YdVnbZDt0P+dFT6qbmnBc6oY10NOp5ozXeCQvmso4MkppR8+mU5Md6+ulGqlr1bdXlebQ9jM804fegNfYbWtk78QRn47a9MLfiswj31jXpelmvhVrtpCmjxlJwAzwpY9h8ZewSFqWnXGk0muo7fqrePiMYicZZaNlbRI/zMLRwEzaNF/XNYQOcSZ3wsjvlI77kNO51JObR4gG87bSwm1J77go69/v5x07WU9Wj6OW73KraKrIUsvhl9Bv4rBR06Z9B2JudFyB8VoZPlZKCwENRWdgt4JNa6KuB9pqZ7f9Z00AGWKHj1OZGdsLHiyArc7PVf2xUF+Fl1KuvS3yd0/Bdf4pqbFFZnJd5r1QEssD0qBg8vWsZm6Ys8S1qvZZtZsGOEImgYEsqgct3w2uw/NisnddfnAohIHl5rMPlydhwiNiDv1siBOlaTCNgZ2g+I1e64Ne7ZWEkHEeKAnJjU8G/DspcZ2gw6cywSNMhHTF3k/Jitk1cz0ifhP9Nc5PzX22+V74I9QkiV0jTdDXO+U8xXfUPPQQpn7YPfe7l8l2+IqtMLWl/KCYG+RD6lXX/bVy1T3zLhORU9jtJseIADkQrkecBw7VA3klkNkYwySMXwN9B633g/hHyf/IyiOKfRfnxO9vy82e9AjJymlncswf16/S8zdh9mEAHUK2TTcHjosAGe0JUmCee0wR8J7LokgJvtSEEMYx8s6vMUUAHafBHEVhTKaJyBcBsIsveOVztr/spX8T5Ke8lOcwy5tbPpyeigAah16aF7GI8nfOYiT60jIIIwqg198Xq2+IEG+MEMZWITBbyEidQgAlpEtBMDY3UkD4NSFJRUBtxoggLdT0y589PfVIp4CG6xWIysWENltuEdNdrJaRI84/hSdFKYzvrQOYJoqSImCGhN/vkU5SXYiauIw+FTqFQIs3MEYD1yMEoxB4n87fn37KOP/ok8N16/rnVO9f -H Accept: application/json https://172.25.15.4:8443/SentinelRESTServices/objects/event?page=1&pagesize=1
* About to connect() to 172.25.15.4 port 8443 (#0)
* Trying 172.25.15.4... connected
* Connected to 172.25.15.4 (172.25.15.4) port 8443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: O=webserver; CN=sentinel
* start date: 2012-09-25 15:35:55 GMT
* expire date: 2021-12-09 01:15:35 GMT
* common name: sentinel (does not match '172.25.15.4')
* issuer: O=webserver; CN=sentinel
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /SentinelRESTServices/objects/event?page=1&pagesize=1 HTTP/1.1
> User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: 172.25.15.4:8443
> Authorization : X-SAML 1VlLc6pKEN77KyzO0jICPrESbw2gBg0a5eFjkxpgQAwvGRD1199BY06Sk5zHvZvDzunp6f66p+n+wNt/Dr5X3qMYu2FwRzE3NFVGgRlabuDcUZo6qHaof3q3GPoe2wUYozghimVyKMDds/SOSuOgG0Ls4m4AfYS7idlVgPzQZW/oLrweocqSeEexddtstxGsshxXrzYsu1Xt0DRdhY12s8mYkIV1hmhinCIpwAkMEnKGZtgqw1TppkpzXbbRbXA3TL29psr6FTbxRF1Bng/HvacnjILEDZAH0mSjoJjE+PR0W3undGvhruI6AUzSGL0EZeE7apMkUbdWy7LsJqvfhLFTYwnKGs3ViI6FXecb1StdDyNLCuzwshZgEAauCT33BPOoZZRsQqsMPCeM3WTjf2GaqTF0brqKDmbVZBrBN6r23cEZ3W9aegcyxrCKN5C5GpsjG8XkdlFZm0t31Lffuo3LUTWGAbbD2Mcf1n+GCAV75IURsqr4GtgV3O9b/CRbvVtkdqXA9FLs7tEkL8MImgi/3Ckyf99U+TFGtnt4cDGpPQuXzwVTPmCC87b2FieBXfskM6LrIJz8l+t6e1UXKzr0UtSrGMniIBzVUX1ituln2JGYwIPr7KCYd2cIb5UvoF5v+mX9sU5fy+rlEP0QtscDcatPN3uB4zlh129kxpK9X5yEeJscNMnb7nbQiKBi6gr0lBFsB/sJC+4Phh9KLTTgHCyCUAFcvwTqoh6l6X1nKIE+H3mSYdD0vOLAihTNtotoLVTCY1RR2el4dd+qqAPXMAennbYYbnb7xbQ9i5aG2j5V+mKjVWoAAYj75thPZ4uInk/2DXz3Paa3MeRxjdHxHGT+e9mkOREm8HUh5J3IJk9ngnqyJPFNVRCA1nJAJvHAkfra8P5xcQIT3nnebZ7dIZfRPJhpAyACVp5LWR+sRH02G/czr75ejE7r5YhdL6VDSRIB4p2JzgNZHdQnnhmsPdNlTutFk4aLpmcIzWdrKCcmy21lASxFtX+UxefjRO0z8kljJnq4Ek/SQValrDRVAfmhnSaqxiy2P/f8K8eld56loS0Deigou6EiGXVx1s/DA6AxnABR4N3ZmHdmomGcDquhs+WsPt5tbNV+PrRtx2h5pbakjIXEsd29nWSkqiOTS0+VDa1YylYYs8dKGs5YdVnbZDt0P+dFT6qbmnBc6oY10NOp5ozXeCQvmso4MkppR8+mU5Md6+ulGqlr1bdXlebQ9jM804fegNfYbWtk78QRn47a9MLfiswj31jXpelmvhVrtpCmjxlJwAzwpY9h8ZewSFqWnXGk0muo7fqrePiMYicZZaNlbRI/zMLRwEzaNF/XNYQOcSZ3wsjvlI77kNO51JObR4gG87bSwm1J77go69/v5x07WU9Wj6OW73KraKrIUsvhl9Bv4rBR06Z9B2JudFyB8VoZPlZKCwENRWdgt4JNa6KuB9pqZ7f9Z00AGWKHj1OZGdsLHiyArc7PVf2xUF+Fl1KuvS3yd0/Bdf4pqbFFZnJd5r1QEssD0qBg8vWsZm6Ys8S1qvZZtZsGOEImgYEsqgct3w2uw/NisnddfnAohIHl5rMPlydhwiNiDv1siBOlaTCNgZ2g+I1e64Ne7ZWEkHEeKAnJjU8G/DspcZ2gw6cywSNMhHTF3k/Jitk1cz0ifhP9Nc5PzX22+V74I9QkiV0jTdDXO+U8xXfUPPQQpn7YPfe7l8l2+IqtMLWl/KCYG+RD6lXX/bVy1T3zLhORU9jtJseIADkQrkecBw7VA3klkNkYwySMXwN9B633g/hHyf/IyiOKfRfnxO9vy82e9AjJymlncswf16/S8zdh9mEAHUK2TTcHjosAGe0JUmCee0wR8J7LokgJvtSEEMYx8s6vMUUAHafBHEVhTKaJyBcBsIsveOVztr/spX8T5Ke8lOcwy5tbPpyeigAah16aF7GI8nfOYiT60jIIIwqg198Xq2+IEG+MEMZWITBbyEidQgAlpEtBMDY3UkD4NSFJRUBtxoggLdT0y589PfVIp4CG6xWIysWENltuEdNdrJaRI84/hSdFKYzvrQOYJoqSImCGhN/vkU5SXYiauIw+FTqFQIs3MEYD1yMEoxB4n87fn37KOP/ok8N16/rnVO9f
> Accept: application/json
>

< HTTP/1.1 204 No Content
< Date: Mon, 05 Nov 2012 09:24:49 GMT
< Content-Type: application/json
< Server: Jetty(7.6.1.v20120215)
<
* Connection #0 to host 172.25.15.4 left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

--------------------


Just two interesting things :
- sentinel (does not match '172.25.15.4') error or not ?
- HTTP/1.1 204 No Content


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Just two interesting things : - sentinel (does not match
> '172.25.15.4') error or not ?


The certificate has 'sentinel' for a subject name while you accessed the
box via the IP address. If you were to setup your client to resolve
'sentinel' to '172.25.15.14' (via an /etc/hosts hack if nothing else)
that warning would go away. As it is, the connection proceeded and you
can see layer 7 (HTTP) traffic happening so it didn't interfere.

> - HTTP/1.1 204 No Content


Well, this seems to show that the connection worked, and as it is not an
authentication or authorization problem it makes me think either the
interface isn't working or there was nothing to be returned. I'd expect
JSON output to have something more direct than nothing at all, though.
I'll try to get a test done today on my side.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQl+Y5AAoJEF+XTK08PnB5nGgP/2uT3y1kd+GUwXaMZ0/epX1Q
fP/oiiQQ3HAteMWHu2GCfP4+hXa4cO+yVXgsnbPs4JkYArVRm7CETpd5XjB40RMI
ZtTW7nnhs1q+5gIf7tQS8FBYiAQqaUCnfl6IC2kc0oTVICC8ZQhVLQrNxMY0BLa4
2gqInI8EWxEAhuXAL3KIHkP31PWNM5cAMqyTOu8QOgKMhTboe8s6uQZ2+jjlJSQ2
YlYELk+YuxbOG9EV0TuLDTwrhKoBBr4WeVEc9M+qCnl9ryNM1DGQ0tAuKDC+BXa3
yXRRo5SK+09qiR3Xtp2kaIfWxchngaoyS7tQDqr2PacR6iiuCI/tEGe5Y2NO+bva
yrH+V22Beoy1vBoEGgZH4QB7dBpduMbN2wXd6KJrf28jUGeeYcWrgviN1CEdnvsb
evKWK1q7+RSSkyjHc7HQ+rEVSDrnnH/DK0agsirTPmaEpiHC4JY48IndZTBCdLr5
3UPBUZe2dMKI3ZKFuUtCkjQTmdR3Sr4c32B7Q7w5hbH8TCCtGK8ZhGXLOBSda6ue
0C/GcZhlq7PJ2sE6LcnD2fcLdVblXU/8aJDJw7WE9AEiYg9R4kMv9nAZ3wcxXDpY
EI4OOwWOH9r6gdZrd7i442qJC774IizK9tG8nLfvV6hboRw0UBX9opKXPN8hq9dj
x1R7x6tUyUB/NMqDQh1H
=dZ0e
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


ab;221707 Wrote:
>
> Well, this seems to show that the connection worked, and as it is not
> an
> authentication or authorization problem it makes me think either the
> interface isn't working or there was nothing to be returned. I'd
> expect
> JSON output to have something more direct than nothing at all, though.
> I'll try to get a test done today on my side.
>


So, did you find a way to get all event and correlated event ?


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some tinkering today and I have the same results you do. Adding the
following to the end of that last curl command (within the
double-quotes, of course) seemed to make a difference. Should it be
necessary? No. If you can duplicate it that'd be enough for me to open
a bug on it.

&query=sev%3A%5B0%20TO%205%5D

Basically it's adding a query saying sev:[0 TO 5] which should not be
necessary, and for all I know isn't even a valid TinyQ query, but oh well.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQqofSAAoJEF+XTK08PnB5GLwQAKmEkGTMM3o5M9W9qtQxMh7a
FhLXNP21+ihOnjUnk1a3i9S9yPrTqeQ0bv+EFjawe/FIBfiBA3MabeqGMXe74EQr
AO4O2ICdanW0QAUYZw2FjZ/boJJD3e89/myTv4Ae4ANnqz6xW7jWbImYPYS8j4LZ
sXGVqkOlrxvqTVogyMf08AYj/LiKbAD+nbg2xqJjNT3MAo5rHRXdijM986H9c+xk
M9iaYa8ig/wmdIJN0C6dCDKpUfyhxKUxzE/4/vUSUpvXOYfd+48Te1B8+ImA7JRy
G9d2G9DESHS3TDTx+GXyFYqA8a/NVRpjGRa5lAtiHxHmJYLIFqkT+iZ2auTg1KT6
mu53OpU+ZJmIxMQcxflI5LTUZphNIGohsxibtharFzjwHPkUcA8m5Gg+5Q+sV6hb
7U9d/+l6ZzZgnKriu4BErCYCx0mf1w8C8T2RL2cc16/JRHfXLWtigHjpkbdUBxIR
E45O9kzsKEidUeGHldgfsfGWnjZEW9fJpR1MESRTpQhC1rId4svjkV/nc/6Ii1J6
QkhOuLUFAyUee97GWKNDEtu8YO8DJ4yIgaXcMugDzBgfoBn4aqEwQzrZXAll41mG
1N2TMOS7cp4J+S0jczjIN6tslK00ntop1EQv8l5rDyJafeOd4gFpv4RVSojyMlny
ysRgebdh76vrPSNKXDhK
=fguD
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


ab;222326 Wrote:
>
> Some tinkering today and I have the same results you do. Adding the
> following to the end of that last curl command (within the
> double-quotes, of course) seemed to make a difference. Should it be
> necessary? No. If you can duplicate it that'd be enough for me to
> open
> a bug on it.
>
> &query=sev%3A%5B0%20TO%205%5D
>
> Basically it's adding a query saying sev:[0 TO 5] which should not be
> necessary, and for all I know isn't even a valid TinyQ query, but oh
> well.
>


I think it's not a bug, I think juste I don't use the good way to get
the events.
Indeed, I try to get the events with a search job and it's work.

I give you my script of test :


Code:
--------------------

#!/bin/sh

# Connexion config
USER_NAME_PARAM=admin
PASSWORD_PARAM=password
PROTOCOL_PARAM=https
HOST_NAME_PARAM=sentinel-server
PORT_PARAM=8443

# Request param
FILTER="sev:4"
START="2012-11-19T14:10:28.931Z"
END="2012-11-19T16:06:30.000Z"



BASIC_AUTH_VALUE=`echo -n "$USER_NAME_PARAM:$PASSWORD_PARAM" | base64`
BASIC_AUTH_HDR="Authorization : Basic $BASIC_AUTH_VALUE"
# echo "BASIC_AUTH_DIR : $BASIC_AUTH_HDR"

AUTH_RESPONSE=`curl -s -k -XPOST -H "$BASIC_AUTH_HDR" -H "Accept: application/json" "$PROTOCOL_PARAM://$HOST_NAME_PARAM:$PORT_PARAM/SentinelAuthServices/auth/tokens"`

SAML_AUTH_TOKEN=`echo "${AUTH_RESPONSE}" | sed -rn 's/\{"Token":"([^"]+)".+/\1/p'`

SAML_AUTH_HDR="Authorization : X-SAML $SAML_AUTH_TOKEN"


SEARCH_JOB_URL=`curl -s -k -H "$SAML_AUTH_HDR" -H "Content-Type: application/json" -X POST -d "{\"filter\":\"$FILTER\", \"start\":\"$START\", \"end\":\"$END\", \"pgsize\":125, \"max-results\":50000, \"type\":\"USER\"}" "$PROTOCOL_PARAM://$HOST_NAME_PARAM:$PORT_PARAM/SentinelRESTServices/objects/event-search" | grep -Po 'href":".*"' | cut -d\" -f3`

SEARCH_RESULT_URL=`curl -s -k -H "$SAML_AUTH_HDR" -H "Accept: application/json" -XGET $SEARCH_JOB_URL | grep -Po 'results":{"@href":".*"' | grep -Po 'href":".*"' | cut -d\" -f3`

curl -s -k -H "$SAML_AUTH_HDR" -H "Accept: application/json" -XGET $SEARCH_RESULT_URL | sed -e 's/[{}]/''/g' | awk -v k="text" '{n=split($0,a,","); for (i=1; i<=n; i++) print a}'
curl -s -k -H "$SAML_AUTH_HDR" -H "Accept: application/json" -XDELETE $SEARCH_JOB_URL

--------------------


Here, the first request creates a search job and returns a link to the
object create. There are in this object a link to the result of this
job. This link returns the events correspond to the research filter. And
I finish by delete the scearch job.
So I think it's the good way to get the events and did a research on
it.

Thank for your help.


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, your way makes sense. Just to be clear, the query I had (using
your base and adding on that part mentioned before) also worked. I
think the 'filter' part, where it mentions int he API docs that the
default is 'no filter', is necessary to find anything. It's a filter
in, not a filter out. Also, the API docs mention using TinyQ as the
filter language and while I found some stuff on how to do that (such as
the example posted) it'd be nice if the API docs themselves had more on
that rather than needing to go to the plugin SDK docs (thanks Google).

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQq8DnAAoJEF+XTK08PnB5wOoQAM+8WGppTj/1EK5rs2nH48qS
4175IokpwBqCKMkFV0yzWXeyhvFTadf6cS0sP4IDhWuhGsxbF6scPbjjjfX8dof5
bX/iy37DWcbS31YEw7LbtqJ+9f3GZbJAVE68FuFJPP+HrEbtMWpUoyvWbqcVZIEK
ldTMcSOp4J7QDaMnavyZ6Adp+kL/yXGRrYeek09n5x2MIMLcp0/hawQp/NvnpLRj
fdFvvzei+PSAf/t3iRFF1sUkZ9Nbi5UqwuR0nwObAblWPeNkyXvNjKNYyHtEuqDU
dDEiMaCxrf1yeCMkdhDmJ/pveoVO42lUIn5zvGan6Djxdl3r2L7V7OZ4U2nM0aCB
007nDWxeY3rmxr4AehvduKNvPjum2yNeACz4XSOTnnmFPWUk75718QU1oFkJ8CHz
p1WuPo61/Xf/7XFtiSbKbk6H6gXGG5Es7OEdDwwOqGcfcQefJ8U/8l7z9oRjwMK9
waxsOwuufiPrCCejyU5qz5GDQxoxDXhaUuFFaOipzwXkrTmdVxc7lWsSNx7tjKGz
O4MQ+UaBjfsK/j9y/fSGEF6i74/Z1ENi/jkzQf21QXEdUGEZSiIDKfk2FrFGAL2+
0oAZjFV0eRrbGoAecIpoIOuKZJy7HX/3JwL38xNTwSn7i7r0BnY8S7vfmoTO1Sl4
5cXZM/mlHRp8Xk8ZjYk3
=oH1C
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I submitted Bug# 791339 as an enhancement to help this doc be a little
clearer so hopefully it will help others in the future.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQs/8IAAoJEF+XTK08PnB5PxMP/2HLjjJa+B8Humf9r0VOHhyf
8vbDQvbwmt8mHK+Y3XSdZzOVuEfmgpFbEm1KvV6rSSV+Zem2x34ux1G5emA0AI38
rbgTSt3RKG0iAJZLpYJRwywoMdTBrgayfi6Vv8tc0a8LLZ6lpd16KISlaCzlrDSl
zxIIrArkGN3FqFZ9s/HWh0JtgFo/yD/4vt2MfD90L/6LAvBm5Ip/PGzwquBJog7h
O/mVoUuLPrmpeC16f/FDk6mP0qo6q+bel8F3bVOIGCoT9f18CKtLtrPmZ7vrI2/o
Nj4QHb1NsvWDMyYi63paeFLE4t4edQ2M3EekvbEVnzByFuJ+2UHU4SE26Em+LqPy
DCA+kxXs5tb23V+9UdMwM68LVoIuYh/NVTES94ksttrvv0Rhuc31SGVMr0qO0JYY
ouR9tuf4GKBRQdm9aCDAIsT0zqi/jDOvto66qHI6vWvdvU1yHYsHlkyHegflz8dy
7q1/HDnKbfhLsXjBlq78+HrvK3XjvcGb4n4fXmQR+SrtIjv6tjR5eIkbi4ML9zSW
Kqu4O/7WPE5DrHd07jx+TNEKxdM/s2iILXbTCXUM6QawjKki16Rvj7eJAtEk9Dfs
B8lD8rIwxnjzGRlREKj2V9GiUbqsjqJd+hrOSNNnv6Fb9a3JaJmFUmvIhpsFs8jj
MEiT0/KHGqZHDukA45rG
=wci+
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


ab;222556 Wrote:
>
> I submitted Bug# 791339 as an enhancement to help this doc be a little
> clearer so hopefully it will help others in the future.
>


I tested your methode and it works. But the searchs' job aren't delete
in the active search panel on the Sentinel web application. I don't
known if there are a timeout to automatiquely delete the job. For me
this methode isn't very clean, I stay with my methode.

Ok, for the bug. Can you give me the link on it ?

Thank.


--
chris54
------------------------------------------------------------------------
chris54's Profile: https://forums.netiq.com/member.php?userid=1915
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel 7.0.1 REST API Event List


Hi everybody!

I want to know if is possible to use a filter previously created inside
of an EventSearch Method via Sentinel API?
More details about my question below:
Sample Request
POST https://172.23.0.76:8443/SentinelRESTServices/objects/event-search
{
"InitiatingHostName":"jdoe_desktop.company.com",
"pgsize":125,
"type":"USER",
"ip":"10.0.0.23",
"aggregate-obj":{

"@href":"https://localhost:8443/SentinelRESTServices/objects/incident/201"
},
"start":"2012-11-01T19:46:58.309Z",
"max-results":50000,
"init-user":"jdoe",
"filter":"sev:4",
"end":"2012-11-01T19:46:58.309Z",
"fields":[
"dt",
"evt"
]
}

In the previous request I want to replace "sev:4" for a filter
previously created, suppose that the filter name's is: filter001
The filter has the content:
(st:C) AND (rv123:"SOME-ID-VALUE")

But because the filter definition could change in any moment, I wish to
use its name, like as:
POST https://172.23.0.76:8443/SentinelRESTServices/objects/event-search
{
"InitiatingHostName":"jdoe_desktop.company.com",
"pgsize":125,
"type":"USER",
"ip":"10.0.0.23",
"aggregate-obj":{

"@href":"https://localhost:8443/SentinelRESTServices/objects/incident/201"
},
"start":"2012-11-01T19:46:58.309Z",
"max-results":50000,
"init-user":"jdoe",
"filter":"filter001",
"end":"2012-11-01T19:46:58.309Z",
"fields":[
"dt",
"evt"
]
}

I tried to use like as I showed, but it’s not works.

My idea is possible to apply, how can I use it?

Thanks in advance,


--
jesus_rivero
------------------------------------------------------------------------
jesus_rivero's Profile: https://forums.netiq.com/member.php?userid=3555
View this thread: https://forums.netiq.com/showthread.php?t=45014

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.