Join BoxWorks in San Francisco Nov 12-13! Keynotes, product demos, and Box Master Classes. Reserve your spot!

Box Status

Box Log Collection Configuration with LogRhythm SIEM - error

Follow
New post
deutschemc

Hey Forum Buddies,

 

I've got an issue that even LogRhythm support doesn't seem to be able to answer...

 

I've followed the steps from LogRhythm for their Box Log Collection Configuration Guide: https://onlinehelp72.logrhythm.com/Default.htm#5DeviceGuides/BoxLogCollectionGuide.htm?Highlight=box.com

 

I've made the dev account, I've made my app, it can connect to box but then gets an error:

 

Access token has been received from box server.
***ERROR*** Exception in getting events: The remote server returned an error: (403) Forbidden.
***ERROR*** Bad response received from Box server

 

I tried to have my box Admin import my API key, but then got the error in the Admin Console:

 

"This app does not use server authentication"

 

Does my dev account need to have admin powers too? Or when I Authorize New App, can I make it so it accepts user auth, not just Server auth?

 

Any help would be appreciated.

 

Thanks,

 

Brian

0

Comments

4 comments

Date Votes
  • mr-swish

    Hi Brian,

     

    I'm currently working on getting Box logs into LogRhythm as well, but haven't tried that guide you linked yet. I should mention my experience is based on a program I was writing to stream admin events. So my understanding is that pulling in Box events for LogRhythm comes from the Box Events Admin api. Since this isn't a user based app, and an automated interaction, the Box API should be configured for their server use. 

     

    Note: I had to elevate my account to be a Box admin for this to work. This is could be the reason why you're getting 403 errors.

    What I have for my API configuration Box Admin Events API endpoint:

    • Authentication Method: OAuth 2.0 with JWT (Server Authentication)
    • Application Access: Enterprise
    • Application Scopes
      • Read/write all files and folders stored in Box    <<< This is forced; can't uncheck
      • Manage users
      • Manage groups
      • Manage webhooks
      • Manage enterprise properties

    It has been a moment since I've looked at the API permissions, but I think you don't need to have all the application scopes I listed. If I remember correctly, you should be fine with just "r/w on files" and "manage enterprise properties." I'll try to follow the guide and see if I can get it working when I'm back at my office; I'll follow up if I find anything. Hope this helps you 🙂

     

    -Michael

    0
    Comment actions Permalink
  • deutschemc

    Hi Michael,

     

    Thank you so much for your input. Yes! If you do have a chance to look into it, please let me know.

     

    Best,

     

    Brian

    0
    Comment actions Permalink
  • mr-swish

    So I haven't had any luck with the guide you posted. What I have found though is that in order to get access to the Admin event logs (which has all of the log data for any user and all file interactions), I could only do it with the JWT authentication method. So I'm not 100% positive on this, but I think there may be an issue with the LogRhythm guide that is currently up. I don't believe LogRhythm officially supports Box ingestion quite yet, but I'm going to keep digging in on this. The guide shows you have to use a refresh token, but with the JWT auth method, it doesn't use refresh tokens. As previously mentioned, I'll keep the thread posted if I find anything.

     

    Side note: Does anyone know what the minimum configurations are to get data from the admin events api endpoint? I think it's at least admin account, jwt auth, and manage enterprise scopes. Would appreciate any confirmation/validation on that 🙂

     

     

    0
    Comment actions Permalink
  • AndrewDWarren

    I know this thread is quite old now, but the original problem description was exactly what I was experiencing and I had to chase a lot of loose ends until we figured out the issue.   

    In my case, I am on LogRhythm 7.4.3 now and I followed their guide verbatim but it did not work.  I was getting the 403 forbidden errors as well.  

    I had read one forum where a guy said he needed to make the user account used by LogRhythm to collect logs into a co-admin user so I tried that.  No joy!  But then with the help of a box support tech we found we had the wrong permissions on this user. This user only had admin permissions to manage users and groups. They also need the admin permission to "Run new reports and access existing reports".  
    So I had my primary admin add that permission to my log collecting user account and right away my logs started to come in.  

    There were a lot of threads out there about changing the way that authentication worked between LogRhythm and BOX but I am here to tell you that the LogRhythm instructions work as long as the permissions are set correctly for the user account that LogRhythm is using to pull logs.  

    https://onlinehelp74.logrhythm.com/#5DeviceGuides/BoxLogCollectionGuide.htm%3FTocPath%3DDevice%2520Configuration%2520Guides%7C_____6

    0
    Comment actions Permalink

Post is closed for comments.