To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Problem with Elements Connector registration

CyberCheese W/ Member Posts: 2 Security Scout

I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.

I follow this guide:

Then I configured an API access and the event forwarding settings as explained in the guide.

After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log

"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST
at org.springframework.web.reactive.function.client.WebClientResponseException.create( ~[spring-webflux-5.2.24.RELE
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST [DefaultWebClient]"

The API key has Full editing access permission and the Subscription key configured is correct.

What could be the problem?



  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 521 Moderator

    Hi @CyberCheese ,

    Thank you for contacting WithSecure

    Can you please share with SEIM you are using ?

    Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?

  • CyberCheese
    CyberCheese W/ Member Posts: 2 Security Scout

    Thanks for your response.

    The SIEM is Wazuh that exposed a syslog udp server.

    Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
    The last note about the API configuration says:
    "Note: After you turn on event forwarding in the profile settings, the file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."

    But I still see the file and the error in the log.

    I sure that the client ID and the secret are correct because if I try to manually authenticate it works.

    This works: (same client ID and secret into the file)
    curl -X POST -d "grant_type=client_credentials" -d " connect.api.write" -u "<client ID>:<secret>"

    and also this works: (token from the previous curl command result)
    curl -H "Authorization: Bearer <token>"

    Any idea?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 521 Moderator

    Hi @CyberCheese

    For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on