Troubleshooting
Problem
A new Box Log source was created and it's in an Error State. On further checking, an error message is displayed: Invalid Client credentials or IDs in log source configuration. Response status [400] from Box REST API.
Symptom
Credentials applied to the Box log source are correct; however, the log source errors out stating that "Invalid Client credentials or IDs".
Diagnosing The Problem
Look for error messages in /var/log/qradar.error similar to:
Invalid Client credentials or IDs in log source configuration. Response status [400] from Box REST API. Error Response:
{"error":"invalid_grant","error_description":"Current date\/time MUST be before the expiration date\/time listed in the 'exp' claim"}
Resolving The Problem
Invalid credentials or ID error messages can occur when the time on Box server hosting the REST API becomes out of synchronization from the QRadar appliance attempting to poll for the remote events. Box sets their API time based on Unix Epoch time and queries must be synchronized to QRadar so we can poll for event data without error. The timestamp you receive from the Box API is based on the settings in the Admin console. If you are a part of an enterprise, it will be the default user settings set by your admin.
- Confirm that the time on your QRadar Appliance matches the time from the Box server. For more information, see: Box Community: Current date\/time MUST be before the expiration date\/time listed in the 'exp' claim or contact your Box administrator to verify the time setting in the Admin panel for your Box configuration.
- Log in to the QRadar Console.
- Click Admin or open the Log Source Management application.
- Select your Box log source.
- Click Enable/Disable to toggle the Box log source to disabled, then back to enabled.
Results
Verify the logs are received from the remote Box host. You might be required to contact your Box administrator to verify the time settings in the Admin panel to compare time settings between QRadar and the Box server.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
08 January 2021
UID
ibm10886197