API Failed Calls

oki2oki · June 19, 2018, 8:53pm

In our server_audit file we see so many Failed log in attepmts by “BesAdmin” account.
Seems like these are all API Connections but we cannot find it from where they coming.
Does anyone knows how to find where all these APIs are coming from so that we can see why they are failing and resolve this issue.

Thank you!

Tue, 19 Jun 2018 08:35:56 -0400 – user “besadmin”: Failed log in. (API Connection)
Tue, 19 Jun 2018 08:38:57 -0400 – user “besadmin”: Failed log in. (API Connection)
Tue, 19 Jun 2018 08:41:57 -0400 – user “besadmin”: Failed log in. (API Connection)
Tue, 19 Jun 2018 08:44:57 -0400 – user “besadmin”: Failed log in. (API Connection)
Tue, 19 Jun 2018 08:47:57 -0400 – user “besadmin”: Failed log in. (API Connection)
Tue, 19 Jun 2018 08:50:57 -0400 – user “besadmin”: Failed log in. (API Connection)

jgo · June 20, 2018, 5:07pm

@oki2oki - I would check on your web reports data source configuration.
I would think a possible common issue is that the besadmin password has changed.
-jgo
ftp://public.dhe.ibm.com/software/tivoli/IEM/9.5/Platform/BigFix_Web_Reports_Guide.pdf

oki2oki · June 20, 2018, 6:24pm

Hi jgo
Thank you for your suggestion. I updated password for datasource and i am still seeing same errors in my log file. Do i need to restart the services or something else? I am not sure what else it can be.

If you have any other suggestions, please let me know.

Thanks

jgo · June 20, 2018, 6:46pm

I do believe that you would need to restart the web reports service.

oki2oki · June 20, 2018, 7:07pm

I restarted BES Web Report Server and still same issue.

JasonWalker · June 20, 2018, 7:21pm

There are several different things that could be using API connections. I agree there should be better logging for this and I think there is an RFE for it.

In the meantime, check the fixlets for “REST API” and “SOAP API”. I’ll try to find them later, but if you have the BES Server Plugin Service and it has bad credentials, these fixlets should come relevant.

Also check for Compliance and Inventory, those use credentials as well.

I strongly recommend creating separate operator accounts for each of these products, to make it easier to troubleshoot when something goes wrong

oki2oki · June 20, 2018, 8:08pm

Hi Jason,

Thank you for your suggestion.
I searched and found 2 fixlets relevant for my BigFix server
"Configure SOAP API credentials for BES Server Plugin Service"
"Configure REST API credentials for BES Server Plugin Service"
Do i have to run these 2 fixlets on my BigFix server or is there any other way to update these credentials?

Also my BES Server Plugin Service is using “Local System” is that correct or it should use some other account?

Thanks

oki2oki · June 21, 2018, 12:29pm

I executed REST API with correct credentials and i am still getting same error in my log file.

cmcannady · June 21, 2018, 3:44pm

Do you have any known REST API integrations with HelpDesk or CMDB products?

Also, you could enable verbose logging for the BESRootServer service, which could provide additional context to the errors that you’re seeing. If you can identify the source of the failed login attempts, you’re likely better able to troubleshoot.

oki2oki · June 21, 2018, 6:49pm

cmcannady,

How exactly i enable verbose for BESRootServer service?

Thanks!

cmcannady · June 21, 2018, 6:52pm

Set the _BESRelay_Log_Verbose setting to 1 as per the wiki.

Here’s the knowledge article regarding verbose logging for the BESRootServer service.