Problem with Elements Connector registration
I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.
I follow this guide:
Then I configured an API access and the event forwarding settings as explained in the guide.
After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log
"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST https://provisioning.ew1.entitlements.fsapi.com/
cpa/v1/registration
at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:183) ~[spring-webflux-5.2.24.RELE
ASE.jar:5.2.24.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST https://provisioning.ew1.entitlements.fsapi.com/cpa/v1/registration [DefaultWebClient]"
The API key has Full editing access permission and the Subscription key configured is correct.
What could be the problem?
Answers
-
Hi @CyberCheese ,
Thank you for contacting WithSecure
Can you please share with SEIM you are using ?
Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?
0 -
Thanks for your response.
The SIEM is Wazuh that exposed a syslog udp server.
Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
The last note about the API configuration says:"Note:
After you turn on event forwarding in the profile settings, the api-access.properties file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."
But I still see the api-access.properties file and the error in the log.
I sure that the client ID and the secret are correct because if I try to manually authenticate it works.
This works: (same client ID and secret into the api-access.properties file)curl -X POST -d "grant_type=client_credentials" -d "scope=connect.api.read connect.api.write" -u "<client ID>:<secret>" https://api.connect.withsecure.com/as/token.oauth2
and also this works: (token from the previous curl command result)curl -H "Authorization: Bearer <token>" https://api.connect.withsecure.com/whoami/v1/whoami
Any idea?0 -
Hi @CyberCheese
For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on
1
Categories
- All Categories
- 4.6K WithSecure Community
- 3.6K Products
- 1 Get Support