topic Re: Problem with Curl Request to Splunk Server in Splunk Enterprise

Problem with Curl Request to Splunk Server

btluynk — Tue, 16 Jan 2024 13:53:59 GMT

Hi team,

I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance.

aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure

Output:

curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Thanks

Re: Problem with Curl Request to Splunk Server

btluynk — Tue, 16 Jan 2024 14:06:43 GMT

Re: Problem with Curl Request to Splunk Server

ITWhisperer — Tue, 16 Jan 2024 14:18:54 GMT

You seem to be specifying that you want to use SSL (https) but you don't appear to be providing any certificates etc. Have you tried using http instead?

Re: Problem with Curl Request to Splunk Server

btluynk — Tue, 16 Jan 2024 14:48:02 GMT

Hi,

First of all, thank you for your response, I am sharing the outputs I got when I tried using HTTP and HTTPS below. It may be due to the SSL setting of the Http collector, but I think there will be other logs affected.

XXX.XXX@XXX-XXX-XXX ~ % curl -kv http://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
> POST /services/collector/raw HTTP/1.1
> Host: 1.1.1.1:8088
> User-Agent: curl/8.1.2
> Accept: */*
> Authorization: Splunk XXX-XXX-XXX-XXX-XXX
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jan 2024 14:31:55 GMT
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 27
< Vary: Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
* Connection #0 to host 1.1.1.1 left intact
{"text":"Success","code":0}%

XXX.XXX@XXX-XXX-XXX ~ % curl -kv https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Re: Problem with Curl Request to Splunk Server

PickleRick — Tue, 16 Jan 2024 14:54:44 GMT

OK. Wait a second. Do you even have TLS enabled on this port?

Check output of

openssl s_client -connect your_splunk_ip:8088

for errors as well as check your _internal index for errors regarding your client's IP.

Re: Problem with Curl Request to Splunk Server

btluynk — Tue, 16 Jan 2024 15:02:11 GMT

Hi team,

In this output, it appears that TLS is enabled based on the following information:

XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088

CONNECTED(00000003)

140704518969088:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 294 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.3

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

Start Time: 1705416962

Timeout : 7200 (sec)

Verify return code: 0 (ok)

---

I dont understand but the "Protocol" field indicates TLS version 1.3, and the "Cipher" field would typically show the cipher suite being used. The "Verify return code" of 0 indicates that the certificate verification was successful. However, there is an error related to the TLS protocol version alert, which might be due to a compatibility issue between the OpenSSL version used and the TLS version supported by the server. If this is not causing any problems with the connection, it might be negligible.

Re: Problem with Curl Request to Splunk Server

PickleRick — Tue, 16 Jan 2024 17:55:40 GMT

No. It can be a bit misleading but it shows that TLS isn't properly configured on this port. With TLS you should have gotten a server certificate and all the gory encryption protocols details.

Also as you noticed yourself in the other comment - you can properly call curl requesting a simple non-encrypted http:// resource. Since Splunk doesn't serve both TLS-enabled and not-enabled services on the same port, it means you simply have to configure it.

Re: Problem with Curl Request to Splunk Server

btluynk — Wed, 17 Jan 2024 08:22:32 GMT

Hi team,

Thank you for your support. The problem was solved when I changed the command by typing hostname instead of IP.