topic Problem ingesting from HEC, sslv3 alert certificate unknown in Getting Data In

Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Wed, 29 Aug 2018 13:19:04 GMT

We're attempting to ingest from ELK servers into Splunk using ELK -> HEC, but are having difficulties getting past ssl. Due to FW constraints, we're only able to send to one heavy forwarder on port 8088, which already has ssl enabled. We don't have certificate validation enabled.
The data is going to be coming in from a company that we've purchased, so they're not on our domain, and I'm not certain if their root ca cert is in effect in our domain, nor certain if that matters here.
They are sending using the following structure:

http_method => "put"
format => "json"
url => https://nattdip:8088/services/collector 
headers => {"Authorization" =>"Bearer d****d-9f84-4a3a-a9fd-6*******e"}
content_type => "application/json"

We've tried both put and post as the method, and they get the same error:

[HTTP Output Failure] Could not fetch URL {:url=>"https://nattdip:8088/services/collector", :method=>:post,

I see the following in my _internal log:

08-28-2018 15:45:13.287 -0400 WARN HttpListener - Socket error from sourceip while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

We've added their rootca to our pem file that Splunk is using to protect web & hec, but get same error.

Any suggestions would be great. Thanks very much.

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

harsmarvania57 — Thu, 30 Aug 2018 10:56:25 GMT

Hi @manderson7,

If you are using HTTP Output Plugin on Logstash then you can configure cacert parameter on logstash server, for more info see this https://discuss.elastic.co/t/logstash-to-splunk-http-event-collector/130765/3

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Thu, 30 Aug 2018 12:15:13 GMT

Thank you! Once I get them the appropriate cert we'll test this and let you know.

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Thu, 30 Aug 2018 14:17:21 GMT

We've got the cert problem solved we think, but are now getting timeouts using curl. I'm not seeing any activity in Splunk for the httplistener, but when they try from logstash, I get +

08-30-2018 09:43:09.193 -0400 WARN  HttpListener - Socket error from nattip while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

and they see unable to fetch url.

I'm seeing traffic go through the FW, and tcpdump sees the traffic as well. What's stopping HEC from ingesting the data?

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

harsmarvania57 — Thu, 30 Aug 2018 14:48:38 GMT

Are you sure that they are sending traffic over https and not http because while googling this error it says that this error generates when you send traffic over http

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Tue, 29 Sep 2020 21:05:40 GMT

So they were using http earlier, then switched to https and got the following:
[ERROR][logstash.outputs.http ] [HTTP Output Failure] Could not fetch URL {:url=>"https://nattdip:8088/services/collector", :method=>:post, :body=>"{\"@timestamp\":\"2018-08-30T15:00:05.110Z\",\"offset\":2617,\"@version\":\"1\",\"beat\":{\"name\":\"elk003.inf030.chi1.domain1.com\",\"hostname\":\"elk003.inf030.chi1.domain1.com\",\"version\":\"5.6.3\"},\"input_type\":\"log\",\"host\":\"elk003.inf030.chi1.domain1.com\",\"source\":\"/home/mbrien/splunk_test.log\",\"message\":\"tdedsadssdfst\",\"type\":\"splunk_test\",\"tags\":[\"test logs\",\"splunk\",\"beats_input_codec_plain_applied\"]}", :headers=>{"Authorization"=>"Splunk d82a61dd-xxxx-xxxx-xxxx-682bdcacb76e", "Content-Type"=>"application/json"}, :message=>"Connection reset", :class=>"Manticore::SocketException", :backtrace=>nil, :will_retry=>true}

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

harsmarvania57 — Thu, 30 Aug 2018 15:23:12 GMT

Try with URL https://nattdip:8088/services/collector/raw, additionally try header like this headers => ['Authorization' , 'Splunk d82a61dd-xxxx-xxxx-xxxx-682bdcacb76e']

Unfortunately I don't have Logstash setup so I can't test in my lab environment but based on example given here https://discuss.elastic.co/t/logstash-to-splunk-http-event-collector/130765/3 it looks like that user is renaming message to event, which is require if you are sending data to https://URL:8088/services/collector , see example curl -k "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk CF179AE4-xxxx-xxxx-xxxx-328xxxxx67" \ -d '{"event": "Hello, world!", "sourcetype": "manual"}'

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Thu, 30 Aug 2018 15:56:25 GMT

Considering a curl from one of my servers succeeded, but his failed, I'm asking our FW guys for some eyes before we attempt further on the logstash connection. Thanks very much for your help, and I'll come back to this when we get further in our connection.

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

manderson7 — Thu, 06 Sep 2018 17:41:06 GMT

Our firewall wasn't allowing the entire transmission through, as it's application based, and the wrong application was specified. We're able to transmit now, and ingest into Splunk. Thanks for your assistance in troubleshooting this.

Re: Problem ingesting from HEC, sslv3 alert certificate unknown

harsmarvania57 — Thu, 06 Sep 2018 17:58:02 GMT

It's good to hear that ELK is ingesting data in Splunk now. You can convert your last comment to answer and you can accept it.