Re: HEC to aws(dynamodb)

rsilwal7 · ‎08-27-2020

Hello, I am using HEC to send data from aws(dynamodb) to splunk. I am getting error called"ECONNREFUSED","errno":"ECONNREFUSED at TCPConnectWrap.afterConnect [as oncomplete] ",

Can anyone tell me a better method to do the task or some advice to solve this issue??

isoutamo · ‎08-28-2020

Hi

one way to test it (unless it is called from lambda or other serverless services) with curl

curl -v -k "https://localhost:8088/services/collector/event" -H "Authorization: Splunk 9dd3e284-1619-4070-be37-59250cd52876" -d '{"event": "Hello, world!",  "sourcetype": "manual"}'

with -v You will get also debug information.

r. Ismo

rsilwal7 · ‎08-28-2020

Hi!

I am doing the test from lambda. So, is there any other way from which I would fond out the exact error??

isoutamo · ‎08-29-2020

Then probably the easiest case is set up another node to the same net where those lambdas are run and test there. Quite often the reason is that your HEC servers’ SG is missing that network.
r. Ismo

rsilwal7 · ‎08-30-2020

Do you mean assigning other port? I tried using 8080 port as well but the result was the same.

isoutamo · ‎08-30-2020

No, I mean that you must check what is your security groups for that HEC-node in AWS node level. In those you must add that port 8088 to allow traffic wherever you want. Without that those event never comes to node, those are just dropped by AWS security group definition. You could check these by AWS Console.

r. Ismo

rsilwal7 · ‎08-31-2020

Hi!

I have checked in aws and I see these in inbound rules. do I have to change anything. for outbound rule it is assigned as access to all. node node

isoutamo · ‎09-01-2020

I don't see inbound rule for port 8088. This means that AWS SG blocks all request to that port and those are not seen at OS level nor splunkd.
r. Ismo

rsilwal7 · ‎09-01-2020

so that means I have to add new inbound port??

rsilwal7 · ‎08-31-2020

Hello,

thank you for your reply, I am actually little new to these, so, can you describe how it can be done?

isoutamo · ‎09-01-2020

Unfortunately I don't know what is policy / processes in your environment. Options are use cloud formation template or directly in AWS console. You must figure out in your environment/organization how this must do.
r. Ismo

richgalloway · ‎08-28-2020

Either Splunk is not listening on the designated port or you're using the wrong address/port or a firewall is in the way.

---
If this reply helps you, Karma would be appreciated.

rsilwal7 · ‎08-28-2020

Hello,

I have set the port to 8088 and issued the token. Do I have to do additional settings ??

maraman_splunk · ‎09-01-2020

You will have at least to :

- make sure your lambda function run in your vpc (so the network connection start in your vpc and can reach your hec port) (see https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html ) (unless your hec can be accessed from outside your vpc)

- allow port TCP 8088 inbound in the security group (where you receive HEC) (connection refused -> probably your main issue as already pointed above)

- you may have also to play with certificate checking options in your lambda function (especially if you dont use a valid certificate for hec)

rsilwal7 · ‎09-01-2020

I installed the Splunk on aws from AMI. so it has elastic IP and can be accessed from other network as well.

I tried adding another port with 8088 in security group but the output is the same.

HEC to aws(dynamodb)

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...