Getting Data In

HTTP Event Collector: Why am I getting error "Invalid authorization" with my WEBHOOK_URL?

lpolo
Motivator

Can someone tell me why this is failing with Invalid authorization? I think that the endpoint is as documented.

WEBHOOK_URL = 'https://localhost:8088/services/collector/event'
#headers = {'Content-Type': 'application/json'}
headers={'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F', 'Content-Type': 'application/json'}


message = { "index":"main", "sourcetype":"xqe_metric", "event":"Testing"}

print WEBHOOK_URL, headers, message

connection = httplib.HTTPSConnection('localhost:8088')
connection.request('POST', WEBHOOK_URL, json.dumps(message), headers)

response = connection.getresponse()
print response.read().decode(), '/n'

Response

    <module 'time' from '/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/lib-dynload/time.so'>   Failed="no"
http://localhost:8088/services/collector/event {'Content-Type': 'application/json', 'Authorization': 'A1DD6F1E-0F63-40CF-9A15-C82B36AFD89F'} {'index': 'main', 'sourcetype': 'xqe_metric', 'event': 'Testing'}
{"text":"Invalid authorization","code":3} /n

alt text

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gblock_splunk
Splunk Employee
Splunk Employee

I see you are using HTTPS. Just as a side note, as you sending to your local instance, the SSL cert is probably not valid in which case the request will be rejected unless you configure you client to ignore cert validation.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Looking at the example at http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/UsetheHTTPEventCollector, the "Authorization" header includes the word "Splunk" whereas your code does not. Try that.

---
If this reply helps you, Karma would be appreciated.

lpolo
Motivator

Thanks. I saw the problem thanks to your observation.

0 Karma

shamscw
Engager

Hi Guys,

I have a similar problem - I'm using a HTTP event collector and installed an iApp for F5 load balancers.
I can see the F5 sending keys as follows from a packet capture:

Member Key: time
Member Key: host
Member Key: source
Member Key: sourcetype
Member Key: event

I can see the Splunk Server responding like this:

Member Key: text
String Value: Invalid authorization
Key: text

Member Key: code
Number Value: 3
Key: code

Where in Splunk do I configure the above Member Key which is causing an invalid authorization?

Thanks!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is solved please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Rich is correct!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The WEBHOOK_URL variable has unbalanced quotes and parens in it. If it's a not a typo in the question then it could explain the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lpolo
Motivator

Thanks, I updated the code and response it had a typo.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...