All Apps and Add-ons

Splunk Connect for Zoom "Invalid URL" when entering URL For Heavy Forwarder

zeroadh
Engager

We're attempting to ingest zoom logs via the Splunk Connect for Zoom add on.   We're using a Heavy Forwarder and have set it up following the documentation here: https://docs.splunk.com/Documentation/ZoomConnect/1.0.1/User/Installandconfiguredistributed 

However, when we attempt to enter in the Event notification endpoint URL on the Zoom side (Step 8 under the Create Zoom Webhook Only App), we're getting an "Invalid URL message".   

We're putting the URL for our Heavy Forwarder and have watched Tutorials and they seem to be doing the same thing.  Has anyone else experience this and know a way around it?

Labels (2)
Tags (1)

MKLaborde
Explorer

So after spending the better part of the last 60 days trying to get the Zoom add-on to work, here's what we've learned.

We could not get the Zoom add-on to work, we had to use http event collection which a Splunk tech linked us to: https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-webhooks-with-the-http-event-collector.h...

That got us onto the right track but then we realized that it appears Zoom won't accept a Splunk self-signed cert, so we got our security team to get us some signed certs and added the stanzas "ServerCert=*your_cert*" and "privKeyPath=*Your key*" to the /etc/apps/splunk_httpinput/local/inputs.conf and we were almost there.

HEC also uses a token which Zoom doesn't know what to do with, but if you read the article above, you know you also need to add the "allowQueryStringAuth=true" stanza to the inputs.conf and include ?token=*the token Splunk HEC generates* in your endpoint and that FINALLY got it to work.

So it's use HEC, not Zoom add-on. The zoom endpoint is just configure your event subscriptions and use https://*your public server hostname*/services/collector/raw?token=*the token splunk generates*. Then add your signed certs into your inputs.conf and you should start ingesting data.

Hopefully this saves someone 58 or 59 days because this seriously took us forever to finally solve, I'm not kidding when I say it probably took us 60 days to finally work out...

zeroadh
Engager

That's awesome you got it working.  I'll try this and let you know if it works for us.

MKLaborde
Explorer

Yeah, let me know how it pans out, I'll keep my eye on this thread and if I can help, I'll try...

0 Karma

MKLaborde
Explorer

Also, here's a link to the Splunk doc on HEC in case you need it:

https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

0 Karma

laurenschwerdt
Explorer

Did you ever figure out this issue? 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...