IBM Support

QRadar Box REST API Error: Invalid Client Credentials or IDs in Log Source Configuration

Troubleshooting


Problem

A new Box Log source was created and it's in an Error State. On further checking, an error message is displayed: Invalid Client credentials or IDs in log source configuration. Response status [400] from Box REST API.
 

Symptom

Credentials applied to the Box log source are correct; however, the log source errors out stating that "Invalid Client credentials or IDs".

Diagnosing The Problem

Look for error messages in /var/log/qradar.error similar to:

Invalid Client credentials or IDs in log source configuration. Response status [400] from Box REST API. Error Response:
{"error":"invalid_grant","error_description":"Current date\/time MUST be before the expiration date\/time listed in the 'exp' claim"}

 

Resolving The Problem

Invalid credentials or ID error messages can occur when the time on Box server hosting the REST API becomes out of synchronization from the QRadar appliance attempting to poll for the remote events. Box sets their API time based on Unix Epoch time and queries must be synchronized to QRadar so we can poll for event data without error. The timestamp you receive from the Box API is based on the settings in the Admin console. If you are a part of an enterprise, it will be the default user settings set by your admin.
 
  1. Confirm that the time on your QRadar Appliance matches the time from the Box server. For more information, see: Box Community: Current date\/time MUST be before the expiration date\/time listed in the 'exp' claim or contact your Box administrator to verify the time setting in the Admin panel for your Box configuration.
  2. Log in to the QRadar Console.
  3. Click Admin or open the Log Source Management application.
  4. Select your Box log source.
  5. Click Enable/Disable to toggle the Box log source to disabled, then back to enabled.

    Results
    Verify the logs are received from the remote Box host. You might be required to contact your Box administrator to verify the time settings in the Admin panel to compare time settings between QRadar and the Box server.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 January 2021

UID

ibm10886197

Page Feedback