This topic contains some troubleshooting tips and error message descriptions for using the Carbon Black Cloud App for Splunk SIEM 2.0.0.
-
If you do not see the expected ingested data:
-
In Splunk, check for errors in the
Administration > Application Health Overview tab in the
Carbon Black Cloud App.
-
If you receive one of the following errors:
-
- Received error code 403
- 401 Unauthorized
- User is not authenticated
- Check your API credentials
-
Check the configuration of API Token Considerations.
- Check that the API key Access Level is correct. From Splunk SIEM 2.0.0 onwards, all APIs use an API key that has an Access Level of type
Custom
.
- In the Carbon Black Cloud console, check that the correct permissions are assigned to the Access Level and that the Access Level is assigned to the API Key that you are using for the Splunk data input or alert action.
- See Set up Authentication and Authorization for Splunk SIEM for more information.
-
If you see the error message "More than 1 VMware CBC App detected":
-
Refer to
Deploying and Configuring Carbon Black Cloud App for Splunk SIEM to determine which apps and add-ons must be installed on which node.
-
Fully delete (not disable) extra copies of
Carbon Black Cloud apps and add-ons from nodes where they are not needed. Then restart Splunk SIEM on those nodes.
-
If you see a network connection error:
-
Make sure that the hostname configured with your API Token on the
Application Configuration > API Token Configuration page does not include
https:// or a trailing slash. See
Carbon Black Cloud API Access.
-
If you are using a proxy:
- Confirm that the Proxy tab is configured in accordance with your proxy.
- Confirm that the Input or Alert Action is configured to use the appropriate proxy.
- Restart Splunk SIEM.
- If the error persists, check your proxy logs for requests from the Splunk server.