topic Re: Different authentications for HEC Token in Security

Different authentications for HEC Token

lqiao — Tue, 02 Jan 2018 22:23:18 GMT

Hi,

I am following this online doc to test the three authentication for HEC tokens: http://dev.splunk.com/view/event-collector/SP-CAAAE7G. I don't understand why only HTTP authentication works while the other two gave different errors. Is it a permission issue? Please help. Thank you.

HTTP Authentication:
Command: curl -k http://hostname:8088/services/collector -H 'Authorization: Splunk tokenId' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Success","code":0}

Basic Authentication:
Command: curl -k -u "x:tokenID" http://hostname:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Invalid authorization","code":3}

Query String:
Command: curl -k http://hostname:8088/services/collector/event?token=tokenId -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Token is required","code":2}

Re: Different authentications for HEC Token

outcoldman — Wed, 03 Jan 2018 06:26:57 GMT

Which Splunk version are you using? I believe another two were added later, not on the initial release.

Re: Different authentications for HEC Token

lqiao — Wed, 03 Jan 2018 16:28:31 GMT

Thank you. I am using Splunk 6.4.3. I can test with higher version today.

Re: Different authentications for HEC Token

outcoldman — Wed, 03 Jan 2018 16:35:40 GMT

Actually docs say that it should be available with 6.4.x http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth

Re: Different authentications for HEC Token

outcoldman — Wed, 03 Jan 2018 16:38:02 GMT

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

Re: Different authentications for HEC Token

lqiao — Wed, 03 Jan 2018 16:38:39 GMT

Looking at the example, it mentions:

Using Basic auth (6.5.0 and later only)

wrong in the doc?

Re: Different authentications for HEC Token

outcoldman — Thu, 04 Jan 2018 01:31:40 GMT

Seems like somewhere is a mistake, please send a feedback

Re: Different authentications for HEC Token

lqiao — Thu, 04 Jan 2018 23:07:36 GMT

Hi outcoldman,

You are correct. I'd like to amend something to your answers after my testing. It is not your mistake. It is a Splunk doc issue.

Even in this doc http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth, it says that "Basic authentication and query string authentications are new features in Splunk 6.4 and above.", basic and query string authentications are not working on Splunk 6.4.3, see the result in my question.

I tested on Splunk 6.5.6 (latest 6.5 version), basic authentication is working here. Query string authentication gave {"text":"Token is required","code":2} error, meaning that it is not supported on 6.5 version.

I tested also on Splunk 6.6.5 (latest 6.6 version), both basic authentication and query string authentication are supported. 6.6.0 is the first version supporting configuration allowQueryStringAuth. Splunk doc says by default, allowQueryStringAuth = false, so result: {"text":"Query string authorization is not enabled","code":16}. After setting it to true, result is {"text":"Success","code":0}. This setting is not visible in the default inputs.conf.

Re: Different authentications for HEC Token

lqiao — Thu, 04 Jan 2018 23:09:35 GMT

I never hear my feedback back. I did more testing and added comment to your answer. Thanks for your answer. I don't want to accept it directly as the version part might confuse other people. It is not your mistake. My comment is being reviewed by the moderator.

Re: Different authentications for HEC Token

outcoldman — Fri, 05 Jan 2018 01:24:38 GMT

I have updated my answer, thank you for clarification!