All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Streaming AWS data to Splunk using Firehose

segevgal87
Loves-to-Learn
‎01-01-2020 01:16 AM

Hi,

I'm trying to stream AWS logs using the Kinesis firehose method. I followed a tutorial and verified each step a few times.
I have generated a certificate for my Splunk Enterprise server using Let's Encrypt. My HEC is using that certificate and I know for sure that it is healthy and secure (used the following URL: https://host.domain.net:8088/services/collector/health)

I keep getting the following error on the monitoring of the Kinesis Firehose:

Could not connect to the HEC endpoint. Make sure that the certificate and the host are valid.
Splunk.SSLHandshake

Any ideas about what could go wrong?

Splunk Version ............ 8.0.0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

soumyasaha25
Contributor
‎01-01-2020 01:57 PM

Hi @segevgal87, although i have not tested it myself, based on the answer on this post it might be due to LetsEncrypt.

Could you try using an AWS ACM cert ? Do you get the same error with ACM certs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

soumyasaha25
Contributor
‎01-01-2020 01:57 PM

Hi @segevgal87, although i have not tested it myself, based on the answer on this post it might be due to LetsEncrypt.

Could you try using an AWS ACM cert ? Do you get the same error with ACM certs.

0 Karma
Reply
Solved! Jump to solution

amiracle
Splunk Employee
Splunk Employee
‎01-06-2020 11:42 AM

You need to have a valid certificate on either your Load Balancer (ELB for AWS deployments) or on your machine accepting the data from Firehose. The default HEC SSL Cert is not a valid third party SSL cert and will thus fail. You can either issue one from ACM (AWS Certificate Manager) so you can test your deployment. To make your life easier, you should use an ELB with a valid cert on a HF tier and then forward the data into your Splunk indexers. This link might help with how to set that up.

0 Karma
Reply
Solved! Jump to solution

segevgal87
Loves-to-Learn
‎01-06-2020 11:14 PM

Hi,

I purchased a domain so I could try the ELB approach and it worked!
I guess the Let's Encrypt certificate was the issue...

Thanks amiracle and soumyasaha25

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...