topic Re: Posting to a receiver using REST API giving "insufficient permission to access this resource" error in Getting Data In

Posting to a receiver using REST API giving "insufficient permission to access this resource" error

bengwall — Tue, 05 Jan 2016 21:55:43 GMT

We are investigating how to create a Splunk log entry over the REST API via JavaScript. I'm posting the following event via the REST API:

curl -k -u user:password "https://tspl001:8089/services/receivers/simple?source=www&sourcetype=junk&index=angularjs_test" -d "2015-01-23 12:45:03 CST Hello there"

Here is the response:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">insufficient permission to access this resource</msg>
  </messages>
</response>

I was told that my user has write privileges and that I'm using the correct sourcetype and index values. I cannot file any reference to what the "www" source is.

Re: Posting to a receiver using REST API giving "insufficient permission to access this resource" error

kbarker302 — Wed, 06 Jan 2016 13:48:05 GMT

Please see the answer posted here:

https://answers.splunk.com/answers/75013/minimum-permissions-required-for-using-http-simple-receiver.html

Apparently there is an edit_tcp capability that needs to be defined in authorize.conf for the simple receiver to work:

http://docs.splunk.com/Documentation/Splunk/6.3.2/admin/Authorizeconf

Fyi, the [capability::edit_tcp] stanza was already present in my system/default/authorize.conf file. I took it out just to see if I could reproduce your problem, but I was still able to execute the REST calls.

Re: Posting to a receiver using REST API giving "insufficient permission to access this resource" error

bengwall — Wed, 06 Jan 2016 17:29:51 GMT

Assigning the edit_tcp attribute solved the issue. Thanks.