Msip threat intel import not working

I've edited the /etc/filebeat/modules.d/threatintel.yml and updated the entry for misp to enable it and also to add the API key from my local misp server.

My config looks like this:

misp:
     enabled: true
     var.input: httpjson
     var.url: https://10.1.2.50/events/restSearch
     var.api_token: ml9wio5eGLGwt32Gl1QNXr0HwLZAcEg1QpAVynBB
     var.ssl.verification_mode: none
     var.first_interval: 30h
     var.interval: 5m

The errors I'm seeing in the filebeat journal are:

ERROR [input.httpjson-cursor] v2/input.go:115 Error while processing http request: failed to execute http client.Do: failed to execute http client.Do: Post "https://10.1.2.50/events/restSearch": POST "https://10.1.2.50/events/restSearch": POST https://10.1.2.50/events/restSearch giving up after 6 attempts {"id": "7C8F59266C173D38", "input_source": "https://10.1.2.50/events/restSearch", "input_url": "https://10.1.2.50/events/restSearch"}

Which doesn't make much sense to me.
Is there any config change required on the misp server to allow data to be grabbed?
I thought presenting a valid API key should be sufficient.

What version? Can you post anymore of the logs? It appears that filebeat is having issues connecting to MISP all together.

Hi Alex,
Version is 7.14.1 - I can post all of the log, but to be fair, it's just this one line repeated over (6 times before it gives up) there's nothing else very helpful there. The threat intel feeds from the default feeds are all importing correctly.

The logfile is pretty long, and very wide - is there a particular bit of the log file that would help?
I'm happy to email it to you so you can look at it in detail if you like?

Cheers,
John.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.