Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make REST API call with modular data inputs for Certificate and Key based authentication?

21Sharma
New Member
‎04-01-2024 02:11 AM

I am trying to call a 3rd party API which supports Certificate and Key based authentication. I have an on-prem instance of Splunk (Version: 9.0.2) running on a VM. I have verified the API response on the VM via curl command (Command used: curl --cert <"path to .crt file"> --key <"path to .key file"> --header "Authorization: <token>" --request GET <"url">) which gives response for a normal user. However, when running the same curl command using shell in Splunk Add-on Builder's Modular Data Inputs, the command only works with "sudo" otherwise it gives Error 403. When checked with "whoami", it returns the user as root.

Question 1:

Why is the curl command not working without using sudo even when the user is root. Is there any configuration that I need to modify to make it work without using sudo.

Question 2:

How do I make the same API call using Python code in Modular Data Inputs of Splunk Add-on Builder.

Labels (1)
Labels
0 Karma
Reply

21Sharma
New Member
‎04-01-2024 04:26 AM

Thank you for your response @PickleRick. I tried running curl in verbose mode. After successful connection to proxy, I am getting below error but am unable to locate squid.conf file.

X-Squid-Error: ERR_ACCESS_DENIED 0

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-01-2024 05:56 AM

Squid is not part of Splunk Enterprise installation. So if you're hitting squid it means either it is working as a reverse-proxy for your target service or you connect to it in order to perform the outbound connection.

Also - if your proxy is doing TLS inspection, cert-based mutual authentication won't work unless you create an exception in your inspection policy.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-01-2024 02:43 AM

1. Run curl with -v to see its operation verbosely. Most probably you're trying to read cryptographic material from a directory you don't have access to.

2. In order to use client certificates you can do it like this:

https://requests.readthedocs.io/en/latest/user/advanced/#client-side-certificates

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...