Hello, I am using HEC to send data from aws(dynamodb) to splunk. I am getting error called"ECONNREFUSED","errno":"ECONNREFUSED at TCPConnectWrap.afterConnect [as oncomplete] ",
Can anyone tell me a better method to do the task or some advice to solve this issue??
Hi
one way to test it (unless it is called from lambda or other serverless services) with curl
curl -v -k "https://localhost:8088/services/collector/event" -H "Authorization: Splunk 9dd3e284-1619-4070-be37-59250cd52876" -d '{"event": "Hello, world!", "sourcetype": "manual"}'
with -v You will get also debug information.
r. Ismo
Hi!
I am doing the test from lambda. So, is there any other way from which I would fond out the exact error??
Then probably the easiest case is set up another node to the same net where those lambdas are run and test there. Quite often the reason is that your HEC servers’ SG is missing that network.
r. Ismo
Do you mean assigning other port? I tried using 8080 port as well but the result was the same.
No, I mean that you must check what is your security groups for that HEC-node in AWS node level. In those you must add that port 8088 to allow traffic wherever you want. Without that those event never comes to node, those are just dropped by AWS security group definition. You could check these by AWS Console.
r. Ismo
Hi!
I have checked in aws and I see these in inbound rules. do I have to change anything. for outbound rule it is assigned as access to all.
so that means I have to add new inbound port??
Hello,
thank you for your reply, I am actually little new to these, so, can you describe how it can be done?
Hello,
I have set the port to 8088 and issued the token. Do I have to do additional settings ??
You will have at least to :
- make sure your lambda function run in your vpc (so the network connection start in your vpc and can reach your hec port) (see https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html ) (unless your hec can be accessed from outside your vpc)
- allow port TCP 8088 inbound in the security group (where you receive HEC) (connection refused -> probably your main issue as already pointed above)
- you may have also to play with certificate checking options in your lambda function (especially if you dont use a valid certificate for hec)
I installed the Splunk on aws from AMI. so it has elastic IP and can be accessed from other network as well.
I tried adding another port with 8088 in security group but the output is the same.