Steps to ingest Box logs in to Cribl

no docs on this yet. I'll poke around my box account today to see if i can figure it out

looks like they support a few different auth types

this are the high level steps I have with me but i am confused and struck at step 4, should i craft a. POST request on cribl for generating. access token ?1. Obtain Box API Credentials: Sign in to the Box Developer Console (https://developer.box.com/) and create a new Box application. Generate API credentials (client ID and client secret) for your application.2. Configure Cribl Inputs: In your Cribl instance, configure a REST or HTTP input to fetch data from the Box API. Specify the necessary parameters such as the API endpoint, authentication method, headers, and query parameters.3. Authenticate with Box API: Implement the authentication process to obtain an access token from the Box API. This typically involves sending a POST request to the Box API token endpoint with your API credentials to exchange them for an access token.4. Fetch Box Logs: Use the access token obtained in the previous step to make requests to the Box API endpoints for fetching logs. This can involve making GET requests to the appropriate Box API endpoints for the desired log types, such as events, file access logs, or audit logs. You may need to specify parameters such as time range, filters, or pagination as per your requirements.

Def interested in this to see if you get it working

I have done something similar with another product, using REST collector and login authentication endpoint. Worked well for the most part

YES

<@U03R0BSAFFS&gt; are you using the Box oauth credential provider?

Yeah, oauth is a bit of a tricky bird. I've had to use an oauth client to deal with box.

If you can get away with bearer (not sure if that is supported) that may be easier.

My reco would be to either write your own client application using the language bindings that you can execute or alternatively look at a bridge that can give you a simplified proxy to the box api.

in general, oauth is really difficult to work with and has variances across vendors.

at least that's what we experienced.

we're got some previous art internally for collecting from Box. I'm in comm with the eng who did it and will get back

<@ULBGHDPNY&gt; Heard any simple solution for this ?

Thx for patience! :slightly_smiling_face:Event breaker recommendation:```{ "lib": "custom", "minRawLength": 256, "id": "Box", "rules": [ { "condition": "true", "type": "json_array", "timestampAnchorRegex": "/^/", "timestamp": { "type": "auto", "length": 150 }, "timestampTimezone": "local", "timestampEarliest": "-420weeks", "timestampLatest": "+1week", "maxEventBytes": 51200, "disabled": false, "parserEnabled": false, "jsonExtractAll": false, "eventBreakerRegex": "/[\n\r]+(?!\s)/", "name": "box", "jsonArrayField": "entries" } ]}```

And the recommended REST Collector:```{ "type": "collection", "ttl": "4h", "removeFields": [], "resumeOnBoot": false, "schedule": {}, "streamtags": [], "workerAffinity": false, "collector": { "conf": { "discovery": { "discoverType": "none" }, "collectMethod": "get", "pagination": { "type": "response_body", "maxPages": 0, "attribute": [ "next_stream_position", "chunk_size" ], "lastPageExpr": "chunk_size < 500" }, "authentication": "oauth", "timeout": 0, "useRoundRobinDns": false, "disableTimeFilter": false, "safeHeaders": [], "loginUrl": "`https://api.box.com/oauth2/token`", "tokenRespAttribute": "access_token", "authHeaderKey": "Authorization", "authHeaderExpr": "`Bearer ${token}`", "clientSecretParamName": "client_secret", "clientSecretParamValue": "12345678", "authRequestParams": [ { "name": "client_id", "value": "'<client_id>'" }, { "name": "grant_type", "value": "'client_credentials'" }, { "name": "box_subject_type", "value": "'enterprise'" }, { "name": "box_subject_id", "value": "'<subj_id>'" } ], "collectUrl": "'https://api.box.com/2.0/events'", "collectRequestParams": [ { "name": "stream_position", "value": "`${next_stream_position}`" }, { "name": "stream_type", "value": "'admin_logs'" }, { "name": "limit", "value": "500" }, { "name": "created_after", "value": "`${new Date(Date.now() - 1000 * (60 * 5)).toISOString()}`" } ] }, "destructive": false, "type": "rest" }, "input": { "type": "collection", "staleChannelFlushMs": 10000, "sendToRoutes": true, "preprocess": { "disabled": true }, "throttleRatePerSec": "0" }, "id": "box-api"}```

Awesome, Thank you so much sir :clap: