Getting Data In

HTTP Event collector - call not properly authenticated

sdkp03
Communicator

Have tried to setup HTTPEventCollector via cli using splunk documentation link: https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UseHECfromtheCLI

Commands i have executed are as below:

/opt/splunk/bin/splunk http-event-collector create sdapp01 -uri https://localhost:8089 -description "this is a new token" -disabled 1

/opt/splunk/bin/splunk http-event-collector enable -name sdapp01 -uri https://localhost:8089 -auth admin:changeme

curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/splunk_httpinput/data/inputs/http

splunk http-event-collector send -uri https://localhost:8089 -token 206f9ca0-24bd-48fd-95e8-dfdcaa17657a {"this is some data"}

curl -k https://localhost:8089/services/collector -H 'Authorization: Splunk 206f9ca0-24bd-48fd-95e8-dfdcaa17657a' -d '{"sourcetype": "demo", "event":"Hello, world!"}'

while sending data am getting error as below:

    <?xml version="1.0" encoding="UTF-8"?>
    <response>
      <messages>
        <msg type="WARN">call not properly authenticated</msg>
      </messages>
    </response>

Config details are as mentioned below:

local/inputs.conf
[http://sdapp01]
disabled = 0
token = 206f9ca0-24bd-48fd-95e8-dfdcaa17657a

default/inputs.conf
[http]
disabled=1
port=8088
enableSSL=1
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0
# ssl settings are similar to mgmt server
sslVersions=*,-ssl2
allowSslCompression=true
allowSslRenegotiation=true

Not sure what have i missed. Token is enabled, not expired. Have tried creating multiple tokens but stuck with same issue. Can someone please help.

0 Karma
1 Solution

masonmorales
Influencer

Change disabled=1 to disabled=0, restart splunk. Then, change your curl command to port 8088 not 8089 and try again.

View solution in original post

tauliang
Communicator

Here is my take:

  • It might be a red herring, but are you sure the credentials are accepted at CLI? In Splunk 8.0.x, if you use the default admin credentials, it would ask the user to change the password from changeme to something else before it allows the user to do anything else.

    $ ./splunk http-event-collector create sdapp01 -uri https://localhost:8089 -description "this is a new token" -disabled 1
    Splunk username: admin
    Password: 
    The administrator requires you to change your password.
    Please enter a new password: 
    
  • Also, can you go to Splunk web and make sure that this HEC token is indeed shown asenabled there? If not, click on Global Settings and make sure that Enabled is set there.

  • IF STILL TO NO VAIL, TRY THIS, this is the nuke of all CLI commands arsenal for HEC, this is the ULTIMATE ULTIMATE WEAPON

    curl -k https://127.0.0.1:8088/services/collector/event -H "Authorization: Splunk [your token]" -d '{"event": "Dodge this!"}'

And the end of all these, you should be able to get a response saying

{"text":"Success","code":0}

Then go to Splunk Web to do a search:

source=http:sdapp01

You should be able to see the event there. Good luck!

sdkp03
Communicator

Have verified from web console, and can confirm that the token is enabled. I did try executing ULTIMATE WEAPON command. still no luck. have pasted output here for your reference:
[splunk@## ~]$ curl -k https://127.0.0.1:8088/services/collector/event -H "Authorization: Splunk 206f9ca0-24bd-48fd-95e8-dfdcaa17657a" -d '{"event": "Dodge this!"}'
curl: (7) couldn't connect to host
[splunk@## ~]$ curl -k https://127.0.0.1:8089/services/collector/event -H "Authorization: Splunk 206f9ca0-24bd-48fd-95e8-dfdcaa17657a" -d '{"event": "Dodge this!"}'

<msg type="WARN">call not properly authenticated</msg>

For some strange reason 8088 doesnt work for me as am always prompted with error "host not found". When i use port 8089, i end up with error - call not authenticated.

0 Karma

tauliang
Communicator

This is strange indeed. Did you see any other errors in _internal index?
Also, if you do a port scan of local ports, what do you see? Is port 8088 open?

Port Scan has started…

Port Scanning host: 127.0.0.1

     Open TCP Port:     8000        irdmi
     Open TCP Port:     8065
     Open TCP Port:     8088        radan-http
     Open TCP Port:     8089
     Open TCP Port:     8191
Port Scan has completed…

masonmorales
Influencer

Change disabled=1 to disabled=0, restart splunk. Then, change your curl command to port 8088 not 8089 and try again.

sdkp03
Communicator

Had to add an extra stanza in local/inputs.conf
[http]
disabled=1

Thats it, and it works like magic.

0 Karma

sdkp03
Communicator

in local/inputs.conf, the disabled field is set to 0. I have restarted splunk services multiple times, dont see any change. I have tried accessing port 8088, and the output was - couldn't connect to host!

0 Karma

tauliang
Communicator

Did you restart Splunk after enabling HEC?

0 Karma

sdkp03
Communicator

Yes i did restart multiple times but with no luck

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...