Cisco AMP Module Filebeat 7.13.1 processing error httpjson-cursor v2

Elastic Stack Beats
1

Hello,

the Cisco AMP module for filebeat logs an error on each execution.

ERROR   [input.httpjson-cursor] v2/request.go:186       error processing response: failed to execute http client.Do: Get "": Get "": unsupported protocol scheme ""     {"input_source": "https://api.eu.amp.cisco.com/v1/events/", "input_url": "https://api.eu.amp.cisco.com/v1/events/"}

This is my configuration:

  amp:
    enabled: true
    var.input: httpjson
    var.url: https://api.eu.amp.cisco.com/v1/events/
    var.client_id: xxx
    var.api_key: xxx
    var.first_interval: 24h
    var.request_timeout: 120s
    var.limit: 100
    var.interval: 5m

My question is now, can I use the httpjson cursor in version 1 somehow? I think v2 is not working with Cisco AMP. Is there any configuration option, which is not documented maybe?

Thanks and best regards.

2

Hllo @mbst83r , I have seen this come up with another module as well, it's not about the v2 vs v1 really, as Cisco AMP was always using v2, but there might be an issue with the input itself.

My belief is that it has something to do with how httpjson handles errors from Cisco AMP, and instead of recovering, it does this.

I will have to confirm this first, and will come back with a workaround and a link to the possible fix when possible.

3

In general this does just seem that it either has 0 events, or that it paginates over pages of events, and hits the end, and only then it produces that error.

Do you not receive any events at all, or do you get events but also that error?

4

Hello,

I receive events and they are equal to the Cisco AMP console events. Every time the download runs, there were events, but the error still appears .