Steps to ingest Box logs in to Cribl

piebob

Working on ingesting Box logs into cribl using REST API, I have generated client ID and secret on the box. What are next steps ? ANy documentation on configuration set up ?

Jon Rust

no docs on this yet. I'll poke around my box account today to see if i can figure it out

Jon Rust

looks like they support a few different auth types

piebob

this are the high level steps I have with me but i am confused and struck at step 4, should i craft a. POST request on cribl for generating. access token ? 1. Obtain Box API Credentials: Sign in to the Box Developer Console (https://developer.box.com/) and create a new Box application. Generate API credentials (client ID and client secret) for your application. 2. Configure Cribl Inputs: In your Cribl instance, configure a REST or HTTP input to fetch data from the Box API. Specify the necessary parameters such as the API endpoint, authentication method, headers, and query parameters. 3. Authenticate with Box API: Implement the authentication process to obtain an access token from the Box API. This typically involves sending a POST request to the Box API token endpoint with your API credentials to exchange them for an access token. 4. Fetch Box Logs: Use the access token obtained in the previous step to make requests to the Box API endpoints for fetching logs. This can involve making GET requests to the appropriate Box API endpoints for the desired log types, such as events, file access logs, or audit logs. You may need to specify parameters such as time range, filters, or pagination as per your requirements.

Shawn Cannon

Def interested in this to see if you get it working

Shawn Cannon

I have done something similar with another product, using REST collector and login authentication endpoint. Worked well for the most part

dduke

<@U03R0BSAFFS&gt; are you using the Box oauth credential provider?

piebob

YES

dduke

Yeah, oauth is a bit of a tricky bird. I've had to use an oauth client to deal with box.

dduke

If you can get away with bearer (not sure if that is supported) that may be easier.

dduke

My reco would be to either write your own client application using the language bindings that you can execute or alternatively look at a bridge that can give you a simplified proxy to the box api.

dduke

in general, oauth is really difficult to work with and has variances across vendors.

dduke

at least that's what we experienced.

Jon Rust

we're got some previous art internally for collecting from Box. I'm in comm with the eng who did it and will get back

piebob

<@ULBGHDPNY&gt; Heard any simple solution for this ?

Jon Rust

Thx for patience! :slightly_smiling_face: Event breaker recommendation: ```{ "lib": "custom", "minRawLength": 256, "id": "Box", "rules": [ { "condition": "true", "type": "json_array", "timestampAnchorRegex": "/^/", "timestamp": { "type": "auto", "length": 150 }, "timestampTimezone": "local", "timestampEarliest": "-420weeks", "timestampLatest": "+1week", "maxEventBytes": 51200, "disabled": false, "parserEnabled": false, "jsonExtractAll": false, "eventBreakerRegex": "/[\n\r]+(?!\s)/", "name": "box", "jsonArrayField": "entries" } ] }```

Jon Rust

And the recommended REST Collector: ```{ "type": "collection", "ttl": "4h", "removeFields": [], "resumeOnBoot": false, "schedule": {}, "streamtags": [], "workerAffinity": false, "collector": { "conf": { "discovery": { "discoverType": "none" }, "collectMethod": "get", "pagination": { "type": "response_body", "maxPages": 0, "attribute": [ "next_stream_position", "chunk_size" ], "lastPageExpr": "chunk_size < 500" }, "authentication": "oauth", "timeout": 0, "useRoundRobinDns": false, "disableTimeFilter": false, "safeHeaders": [], "loginUrl": "`https://api.box.com/oauth2/token`", "tokenRespAttribute": "access_token", "authHeaderKey": "Authorization", "authHeaderExpr": "`Bearer ${token}`", "clientSecretParamName": "client_secret", "clientSecretParamValue": "12345678", "authRequestParams": [ { "name": "client_id", "value": "'<client_id>'" }, { "name": "grant_type", "value": "'client_credentials'" }, { "name": "box_subject_type", "value": "'enterprise'" }, { "name": "box_subject_id", "value": "'<subj_id>'" } ], "collectUrl": "'https://api.box.com/2.0/events'", "collectRequestParams": [ { "name": "stream_position", "value": "`${next_stream_position}`" }, { "name": "stream_type", "value": "'admin_logs'" }, { "name": "limit", "value": "500" }, { "name": "created_after", "value": "`${new Date(Date.now() - 1000 * (60 * 5)).toISOString()}`" } ] }, "destructive": false, "type": "rest" }, "input": { "type": "collection", "staleChannelFlushMs": 10000, "sendToRoutes": true, "preprocess": { "disabled": true }, "throttleRatePerSec": "0" }, "id": "box-api" }```

piebob

Awesome, Thank you so much sir :clap: