API - Box Event
LogRhythm System Monitor Agents can collect Admin (Enterprise) Event logs generated by Box from within its file sharing and synchronization infrastructure. To begin integrating Box Event logs into your LogRhythm deployment, you need to connect an Agent to Box's REST API. After establishing the connection, the System Monitor can collect Box Admin Event logs real time.
System Monitor Agents do not collect Box’s User Event logs because they are included in Admin Event logs.
Box log collection though a proxy is not supported.
Prerequisites
- You must register for a Box API key before you can connect to the Box API. For more information, log in to your Box account and refer to https://docs.box.com/reference.
- To ensure that collection from Box works as expected, the User Type setting under you application's OAuth2 Parameters must be set to Box application should set to Standard Box Users.
If your application is already configured, you may need to delete the app and any users from the Admin Console, as follows:
- Log in to your Box developer account and go to Account Settings.
- Click Admin Console, click the gear icon, and then click Business Settings.
- Click Apps.
- Locate your app under Custom Applications.
- Click the ellipses [...] button next to your application, and then click Delete app and users.
Configure the box.ini File
The Box interface is configured using a configuration file in the Agent's config folder. The default file for the Box API is C:\Program Files\LogRhythm\LogRhythm System Monitor\config\box.ini.
To get values for ClientID, ClientSecret, and RefreshToken, you must complete the Box OAuth process. For more information, see https://docs.box.com/reference#oauth-2-overview and https://docs.box.com/reference#token.
Modify the existing values in that file as follows:
Setting | Default Value | Description |
---|---|---|
BoxEndpoint | https://api.box.com/ | The Box endpoint to which the Agent should connect. |
ClientID | CHANGE_THIS | The client ID of the application to which the Agent will connect. The values for ClientID, ClientSecret, and RefreshToken must be encrypted using the lrcrypt command line utility (lrcrypt.exe), which is located in the LogRhythm System Monitor installation directory. You must manually paste the encrypted values into the configuration file. |
ClientSecret | CHANGE_THIS | The client secret of the application to which the Agent will connect. The values for ClientID, ClientSecret, and RefreshToken must be encrypted using the lrcrypt command line utility (lrcrypt.exe), which is located in the LogRhythm System Monitor installation directory. You must manually paste the encrypted values into the configuration file. |
RefreshToken | CHANGE_THIS | A refresh token retrieved in the final leg of OAuth 2. In most cases these are valid for 60 days, or until used.1 |
Timeout | 300 | The timeout (in seconds) to use when requesting data from the Box server. The valid range for this setting is 0 to 300. A value of 0 disables the timeout. |
LogApiRequest | false | Enables (true) or disables (false) diagnostic logging of HTTP and HTTPS requests to the API. For more information, see Log HTTP and HTTPS Responses from the API. |
LogsCreatedAfter | N/A | This date must follow the YYYY/MM/DD format. |
For more information on how to use the LogRhythm Encryption Utility, see LogRhythm Password Encryption.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API - Box Event. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
File Path. <path to Box .ini file, including the file name and extension>
Log HTTP and HTTPS Responses from the API
The Box log source supports diagnostic logging of all HTTP and HTTPS responses from the Box API. Logging is disabled by default, and logging is controlled by the LogApiRequests field in the box.ini file.
To enable response logging, set the value of this field to true.
If you enable or disable logging, you must restart the Agent service before the change will take effect.
The API log file uses the same name as the default configuration file. In this case, the log file is /logs/box.log. The size of the API log file is limited to 100 MB before rolling over to a new file.