Box Log Collection Configuration with LogRhythm SIEM - error

新規投稿

コメント

4件のコメント

  • mr-swish

    Hi Brian,

     

    I'm currently working on getting Box logs into LogRhythm as well, but haven't tried that guide you linked yet. I should mention my experience is based on a program I was writing to stream admin events. So my understanding is that pulling in Box events for LogRhythm comes from the Box Events Admin api. Since this isn't a user based app, and an automated interaction, the Box API should be configured for their server use. 

     

    Note: I had to elevate my account to be a Box admin for this to work. This is could be the reason why you're getting 403 errors.

    What I have for my API configuration Box Admin Events API endpoint:

    • Authentication Method: OAuth 2.0 with JWT (Server Authentication)
    • Application Access: Enterprise
    • Application Scopes
      • Read/write all files and folders stored in Box    <<< This is forced; can't uncheck
      • Manage users
      • Manage groups
      • Manage webhooks
      • Manage enterprise properties

    It has been a moment since I've looked at the API permissions, but I think you don't need to have all the application scopes I listed. If I remember correctly, you should be fine with just "r/w on files" and "manage enterprise properties." I'll try to follow the guide and see if I can get it working when I'm back at my office; I'll follow up if I find anything. Hope this helps you 🙂

     

    -Michael

    0
    コメントアクション パーマリンク
  • deutschemc

    Hi Michael,

     

    Thank you so much for your input. Yes! If you do have a chance to look into it, please let me know.

     

    Best,

     

    Brian

    0
    コメントアクション パーマリンク
  • mr-swish

    So I haven't had any luck with the guide you posted. What I have found though is that in order to get access to the Admin event logs (which has all of the log data for any user and all file interactions), I could only do it with the JWT authentication method. So I'm not 100% positive on this, but I think there may be an issue with the LogRhythm guide that is currently up. I don't believe LogRhythm officially supports Box ingestion quite yet, but I'm going to keep digging in on this. The guide shows you have to use a refresh token, but with the JWT auth method, it doesn't use refresh tokens. As previously mentioned, I'll keep the thread posted if I find anything.

     

    Side note: Does anyone know what the minimum configurations are to get data from the admin events api endpoint? I think it's at least admin account, jwt auth, and manage enterprise scopes. Would appreciate any confirmation/validation on that 🙂

     

     

    0
    コメントアクション パーマリンク
  • AndrewDWarren

    I know this thread is quite old now, but the original problem description was exactly what I was experiencing and I had to chase a lot of loose ends until we figured out the issue.   

    In my case, I am on LogRhythm 7.4.3 now and I followed their guide verbatim but it did not work.  I was getting the 403 forbidden errors as well.  

    I had read one forum where a guy said he needed to make the user account used by LogRhythm to collect logs into a co-admin user so I tried that.  No joy!  But then with the help of a box support tech we found we had the wrong permissions on this user. This user only had admin permissions to manage users and groups. They also need the admin permission to "Run new reports and access existing reports".  
    So I had my primary admin add that permission to my log collecting user account and right away my logs started to come in.  

    There were a lot of threads out there about changing the way that authentication worked between LogRhythm and BOX but I am here to tell you that the LogRhythm instructions work as long as the permissions are set correctly for the user account that LogRhythm is using to pull logs.  

    https://onlinehelp74.logrhythm.com/#5DeviceGuides/BoxLogCollectionGuide.htm%3FTocPath%3DDevice%2520Configuration%2520Guides%7C_____6

    0
    コメントアクション パーマリンク

投稿コメントは受け付けていません。