Closed nfields03 closed 7 years ago
Verify that the system clock on the server hosting Orchestrator is correct and in-sync. This is required since the HMAC authentication to the API requires a correct timestamp.
Yup, I can confirm that it's within about 150ms of our main NTP server, so we're good there...
How did you go about verifying the credentials you're using are correct? SIEM Connector? Please shoot me an email (evan.burns@crowdstrike.com) so I can identify your CID for troubleshooting purposes. Thanks!
is outbound traffic from orchestrator going through a proxy or direct?
Direct, no proxies involved...
can you jump into the slack chat room so we can troubleshoot in real-time? Details for the chat room are on the main project page.
Commenting here incase other folks run into this. The Streaming API URL must be https://firehose.crowdstrike.com/sensors/entities/datafeed/v1. In this case it was slightly modified resulting in unsuccessful authentication. Closing this out.
Hi, I have the same issue. the streaming API URL is correct but no event is coming through to Orchestrator. please help.
We had another issue with standing this up, we've confirmed that we have a Streaming API username and password from the support team but when I start up the Falcon Orchestrator client I get this over and over in the text log:
2017-02-28 11:42:30,077 FATAL FalconOrchestrator.Client.Authentication - Error while authenticating to API System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() 2017-02-28 11:42:30,093 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()
We've confirmed that the creds are correct, any other log entries I can provide to help troubleshoot?