We have updated our Terms of Service, Code of Conduct, and Addendum.

Steps to ingest Box logs in to Cribl

Working on ingesting Box logs into cribl using REST API, I have generated client ID and secret on the box. What are next steps ? ANy documentation on configuration set up ?

Answers

  • Jon Rust
    Jon Rust Posts: 475 mod

    no docs on this yet. I'll poke around my box account today to see if i can figure it out

  • Jon Rust
    Jon Rust Posts: 475 mod

    looks like they support a few different auth types

  • piebob
    piebob Posts: 8

    this are the high level steps I have with me but i am confused and struck at step 4, should i craft a. POST request on cribl for generating. access token ? 1. Obtain Box API Credentials: Sign in to the Box Developer Console (https://developer.box.com/) and create a new Box application. Generate API credentials (client ID and client secret) for your application. 2. Configure Cribl Inputs: In your Cribl instance, configure a REST or HTTP input to fetch data from the Box API. Specify the necessary parameters such as the API endpoint, authentication method, headers, and query parameters. 3. Authenticate with Box API: Implement the authentication process to obtain an access token from the Box API. This typically involves sending a POST request to the Box API token endpoint with your API credentials to exchange them for an access token. 4. Fetch Box Logs: Use the access token obtained in the previous step to make requests to the Box API endpoints for fetching logs. This can involve making GET requests to the appropriate Box API endpoints for the desired log types, such as events, file access logs, or audit logs. You may need to specify parameters such as time range, filters, or pagination as per your requirements.

  • Shawn Cannon
    Shawn Cannon Posts: 131 ✭✭

    Def interested in this to see if you get it working

  • Shawn Cannon
    Shawn Cannon Posts: 131 ✭✭

    I have done something similar with another product, using REST collector and login authentication endpoint. Worked well for the most part

  • dduke
    dduke Posts: 14 mod

    <@U03R0BSAFFS&gt; are you using the Box oauth credential provider?

  • piebob
    piebob Posts: 8

    YES

  • dduke
    dduke Posts: 14 mod

    Yeah, oauth is a bit of a tricky bird. I've had to use an oauth client to deal with box.

  • dduke
    dduke Posts: 14 mod

    If you can get away with bearer (not sure if that is supported) that may be easier.

  • dduke
    dduke Posts: 14 mod

    My reco would be to either write your own client application using the language bindings that you can execute or alternatively look at a bridge that can give you a simplified proxy to the box api.

  • dduke
    dduke Posts: 14 mod

    in general, oauth is really difficult to work with and has variances across vendors.

  • dduke
    dduke Posts: 14 mod

    at least that's what we experienced.

  • Jon Rust
    Jon Rust Posts: 475 mod

    we're got some previous art internally for collecting from Box. I'm in comm with the eng who did it and will get back

  • piebob
    piebob Posts: 8

    <@ULBGHDPNY&gt; Heard any simple solution for this ?

  • Jon Rust
    Jon Rust Posts: 475 mod

    Thx for patience! :slightly_smiling_face: Event breaker recommendation: ```{ "lib": "custom", "minRawLength": 256, "id": "Box", "rules": [ { "condition": "true", "type": "json_array", "timestampAnchorRegex": "/^/", "timestamp": { "type": "auto", "length": 150 }, "timestampTimezone": "local", "timestampEarliest": "-420weeks", "timestampLatest": "+1week", "maxEventBytes": 51200, "disabled": false, "parserEnabled": false, "jsonExtractAll": false, "eventBreakerRegex": "/[\n\r]+(?!\s)/", "name": "box", "jsonArrayField": "entries" } ] }```

  • Jon Rust
    Jon Rust Posts: 475 mod

    And the recommended REST Collector: ```{ "type": "collection", "ttl": "4h", "removeFields": [], "resumeOnBoot": false, "schedule": {}, "streamtags": [], "workerAffinity": false, "collector": { "conf": { "discovery": { "discoverType": "none" }, "collectMethod": "get", "pagination": { "type": "response_body", "maxPages": 0, "attribute": [ "next_stream_position", "chunk_size" ], "lastPageExpr": "chunk_size < 500" }, "authentication": "oauth", "timeout": 0, "useRoundRobinDns": false, "disableTimeFilter": false, "safeHeaders": [], "loginUrl": "`https://api.box.com/oauth2/token`", "tokenRespAttribute": "access_token", "authHeaderKey": "Authorization", "authHeaderExpr": "`Bearer ${token}`", "clientSecretParamName": "client_secret", "clientSecretParamValue": "12345678", "authRequestParams": [ { "name": "client_id", "value": "'<client_id>'" }, { "name": "grant_type", "value": "'client_credentials'" }, { "name": "box_subject_type", "value": "'enterprise'" }, { "name": "box_subject_id", "value": "'<subj_id>'" } ], "collectUrl": "'https://api.box.com/2.0/events'", "collectRequestParams": [ { "name": "stream_position", "value": "`${next_stream_position}`" }, { "name": "stream_type", "value": "'admin_logs'" }, { "name": "limit", "value": "500" }, { "name": "created_after", "value": "`${new Date(Date.now() - 1000 * (60 * 5)).toISOString()}`" } ] }, "destructive": false, "type": "rest" }, "input": { "type": "collection", "staleChannelFlushMs": 10000, "sendToRoutes": true, "preprocess": { "disabled": true }, "throttleRatePerSec": "0" }, "id": "box-api" }```

  • piebob
    piebob Posts: 8

    Awesome, Thank you so much sir :clap: