Kaspersky
Question

KSC 11 OpenAPI usage problems

  • 20 August 2019
  • 7 replies
  • 125 views

Can anyone shed some light on the proper syntax/format to use in a cURL command that will return results to the strAccessor wstring?

We are trying to query the FindGroups and FindHosts methods of the HostGroup class so that we can return hostnames to work with (KLHST_WKS_HOSTNAME) but not having any luck.

As an example, the data field we are passing to FindGroups is currently

-d '{wstrFilter: "", vecFieldsToReturn: ["id", "name"], lMaxLifeTime: 60}'

7 replies

@rshumsky Could you help with this?
Hi,

You can get root group id (KLADMSRV_GRP_ROOT) by calling HostGroup.GetStaticInfo() method. Pass this ID to HostGroup.GetSubgroups() to receive group tree and use group ids for filter in HostGroup.FindHosts().
Afterwards you can pass group id to wstrFilter for HostGroup.FindHosts(). For example you can get devices of root group with query
  • -d '{wstrFilter: "(&(KLHST_WKS_GROUPID=your_KLADMSRV_GRP_ROOT))", vecFieldsToReturn: ["KLHST_WKS_HOSTNAME"], lMaxLifeTime: 60}'
For FindGroups() in your example you should pass some wstrFilter. You can get more information of its syntax on "Search filter syntax" page in OpenAPI doc.
Thanks for the reply @rshumsky .

Unfortunately we are having problems establishing a session again to the API using the basic authentication method.

This works fine for roughly 24 hours then following that whenever we try to start a session again we receive a 403 forbidden response with a message "authentication header unexpected".

If we try a new account this will work again, but by tomorrow we will receive the same message.
donkeykongjr,

https://hostname:13299/api/v1.0/login creates an authenticated tls connection and requires to use it for further requests. Unfortunately, this might not work with standalone curl requests.

In OpenAPI protocol description there is a note about it

"Connection is established with the server and the client doesn't close it throughout the work with the server".

You can create permanent TCP socket and use it.
Is there no way to close an already open session when you are done with it? I am used to opening a session, passing some commands then closing or deleting that session.

if not we could try using the token authentication method, but the documentation for the APi is not the best and the layout can be a little confusing at times.
To close session you should close authenticated connection by calling socket destroy method. KSC keeps connection alive without direct command to close it.
Is there anyway that we can include a variable for the "KLHST_WKS_HOSTNAME" to the alerts from the KSC?

If that were possible we could get straight to the endpoint in question without having to drill-down by making quite so many calls and server-side array queries. It would also avoid any ambiguity where endpoint hostnames can occur more than once across different sites/groups.

Reply / Ответить