Cisco AMP for Endpoints Events Input : Unable to create input

navaneethbr · ‎06-26-2023

Hello Team,

I am trying to get Cisco AMP4e logs to Splunk, while configuring the input I am getting below error.

Add-on - Cisco AMP for Endpoints Events Input - 3.0.0

Splunk Version - 8.2.7
Note: The API host, ID and Key are correct. Verified with below command.

url --request GET 'https://api.amp.cisco.com/v1/events' -u 'my api id:my api key'

Error while creating the Input

Warning! We couldn’t retrieve the information from API with provided credentials. Please make sure the API host is accessible or re-configure the input with correct credentials.

Error from /opt/splunk/var/log/splunk/amp4e_events_input.log

2023-06-26 05:35:34,486 ERROR Amp4eEvents - SSLError(MaxRetryError("HTTPSConnectionPool(host='api.amp.cisco.com', port=443): Max retries exceeded with url: /v1/event_streams/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))"))
ssl_context=context,
File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 377, in ssl_wrap_socket
File "/opt/splunk/lib/python3.7/ssl.py", line 423, in wrap_socket
File "/opt/splunk/lib/python3.7/ssl.py", line 870, in _create
File "/opt/splunk/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.amp.cisco.com', port=443): Max retries exceeded with url: /v1/event_types/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.amp.cisco.com', port=443): Max retries exceeded with url: /v1/event_types/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
ssl_context=context,
File "/opt/splunk/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 377, in ssl_wrap_socket
File "/opt/splunk/lib/python3.7/ssl.py", line 423, in wrap_socket
File "/opt/splunk/lib/python3.7/ssl.py", line 870, in _create
File "/opt/splunk/lib/python3.7/ssl.py", line 1139, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.amp.cisco.com', port=443): Max retries exceeded with url: /v1/event_types/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))
requests.exceptions.SSLError: HTTPSConnectionPool(host='api.amp.cisco.com', port=443): Max retries exceeded with url: /v1/event_types/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))

Can anyone help with solution for this issue?

Regards,
Navaneeth BR

Ken Stieers · ‎06-26-2023

The python that Splunk AMP app doesn't trust the cert its seeing.

Are you using WSA or Umbrella SIG where it's decrypting the web requests? Set this destination to not be decrypted.

Muhammadibrahim69152 · ‎07-11-2024

Hi Navaneethbr,

Did you resolve this issue, I'm facing the same issue.

I'm injesting logs from ciscoamp to heavy forwarder, but recently it stops receving logs from ciscoamp, and the same above error is shown when i check for the log file.

I would appreciate if you could help me resolve this issue.