search

CrowdStrike / falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
GNU Affero General Public License v3.0
185 stars 60 forks source link

401 Unauthorized when enabling streaming API #28

Closed nfields03 closed 7 years ago

nfields03 commented 7 years ago

We had another issue with standing this up, we've confirmed that we have a Streaming API username and password from the support team but when I start up the Falcon Orchestrator client I get this over and over in the text log:

2017-02-28 11:42:30,077 FATAL FalconOrchestrator.Client.Authentication - Error while authenticating to API System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() 2017-02-28 11:42:30,093 FATAL FalconOrchestrator.Client.FalconOrchestratorService - An unhandled error occured System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at FalconOrchestrator.Client.Authentication.AuthenticateAndGetResponse() at FalconOrchestrator.Client.FalconOrchestratorService.Invoke()

We've confirmed that the creds are correct, any other log entries I can provide to help troubleshoot?

mr-burnse commented 7 years ago

Verify that the system clock on the server hosting Orchestrator is correct and in-sync. This is required since the HMAC authentication to the API requires a correct timestamp.

nfields03 commented 7 years ago

Yup, I can confirm that it's within about 150ms of our main NTP server, so we're good there...

mr-burnse commented 7 years ago

How did you go about verifying the credentials you're using are correct? SIEM Connector? Please shoot me an email (evan.burns@crowdstrike.com) so I can identify your CID for troubleshooting purposes. Thanks!

mr-burnse commented 7 years ago

is outbound traffic from orchestrator going through a proxy or direct?

nfields03 commented 7 years ago

Direct, no proxies involved...

mr-burnse commented 7 years ago

can you jump into the slack chat room so we can troubleshoot in real-time? Details for the chat room are on the main project page.

mr-burnse commented 7 years ago

Commenting here incase other folks run into this. The Streaming API URL must be https://firehose.crowdstrike.com/sensors/entities/datafeed/v1. In this case it was slightly modified resulting in unsuccessful authentication. Closing this out.

ecvicedo commented 7 years ago

Hi, I have the same issue. the streaming API URL is correct but no event is coming through to Orchestrator. please help.