No JSON object could be decoded
Balackie opened this issue · 8 comments
Hi,
I'm getting this error when trying to run 'python siem.py' after editing the config.ini file with relevant token info:
root@Rg-siemlog:/opt/Sophos-Central-SIEM-Integration# python siem.py
Config loaded, retrieving results for 'XXXXX'
Config retrieving results for 'Basic XXXXX'
Config endpoint=/siem/v1/events, filename='result.txt' and format='json'
Config state_file='/opt/Sophos-Central-SIEM-Integration/state/siem_lastrun_events.obj' and cwd='/opt/Sophos-Central-SIEM-Integration'
No datetime found, defaulting to last 12 hours for results
Retrieving results since: 1565467974
URL: https://api5.central.sophos.com/gateway/siem/v1/events?from_date=1565467974&limit=1000
Traceback (most recent call last):
File "siem.py", line 494, in
main()
File "siem.py", line 212, in main
process_endpoint(endpoint, opener, endpoint_config, token)
File "siem.py", line 244, in process_endpoint
write_json_format(results)
File "siem.py", line 274, in write_json_format
for i in results:
File "siem.py", line 347, in call_endpoint
events = json.loads(events_response)
File "/usr/lib/python2.7/json/init.py", line 339, in loads
return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
Please advise.
Thanks!
I am also facing same issue
I'm facing this issue as well. I think this is a problem with the API but I'm not positive. When I ran the same GET request as the script does using curl, I get back a 200 response from the API with an empty response body. Which means its attempting to json.loads('') and you get that same exception. It doesn't happen every time, it seems to be sporadic (or maybe I just don't have any alerts to be returned).
I can make a PR for the fix in siem.py, but if this needs to be fixed in the API the script shouldn't need that.
This was a issue from Sophos end and they have resolved it.
https://community.sophos.com/kb/en-us/134509
Ok!
I do not get this error any more, and I also see that the log directory was created and 'results.txt' under it with logs being written - but no syslog traffic is seen when checking the outgoing traffic with tcpdump.
What could be wrong with my configuration?
Thanks!
@Balackie Are you still facing the issue with the Syslog configuration?
@Balackie, please raise a new issue. Closing this one as resolved.
@Balackie, if you are still facing the issue with syslog configuration please make sure that the port that you have configured is open on remote instance. We verified the configuration with both TCP and UDP protocols and it seems to be working as expected. Here is the correct syslog configuration for your reference:
