Unknown REST API logs

Hey Guys,

I configured a syslog server for my auditing, but I keep getting the error message below:

Oct 14 10:39:46 10.2.137.23 name=“Audit log” priority=“notice” user=“unknown” facility=“REST API” operation=“Auth” details={“apikey_redacted”: “”, “details”: “Failure: CSRF validation failed”, “apikey_id”: 0}

I am sure it comes from an old API call that I created, but I do not see any when looking through my appliances. Any guidance on finding the source of these errors would be awesome!

Is this error being sent from an ExtraHop to your syslog server? If so, do you see the error in the audit log in the admin UI?

One option is to span or tap the monitoring port traffic to look for the API call, but I’m afraid we may not be able to provide much more information without doing that.

Hi Ted,
Appreciate the response. These are errors that are being sent to our syslog.

I currently have a tap in place so if I need to gather traffic off of that tap I can.