Getting Data In

OTEL splunk_hec receiver how to handle invalid tokens

mookiie2005
Communicator

Hello All,

I am trying to build a open telemetry collector for splunk_hec receiver.  I am able to get it working and route the data to a tenant based on the token value sent in.  What I wanted to do was have a way to handle invalid tokens. Obviously I do not want to ingest traffic with an invalid token, but I would like visability into this. Is anyone aware of a way to log some sort of message to indicate that a bad token was sent in and what that token value was and log that to a specific tenant.

Here is an example confiog like:

- set(resource.attributes["log.source"], "otel.hec.nonprod.fm-mobile-backend-qa") where IsMatch(resource.attributes["com.splunk.hec.access_token"], "9ff3a68d-XXXX-XXXX-XXXX-XXXXXXXXXXXX")

Can I do an else or a wild card value?
- set(resource.attributes["log.source"], "otel.hec.nonprod.fm-mobile-backend-qa") where IsMatch(resource.attributes["com.splunk.hec.access_token"], "********-****-****-*********")

Or some other way to log a message to the otel collector with info like host or ip and the token value that was sent?  I am just looking into gaining visibility into invalid token data sent. 

Labels (1)
Tags (1)
0 Karma

dural_yyz
Motivator

By default the Splunk server receiving HEC is set to only log INFO and above.  If you have a very limited number of receiving end points you can temporarily increase to DEBUG and above for logging.  If you have a small number of HF's or IDX tier then this is feasible, if you have a large IDX tier then it's not so easy.

The debug will be specifically helpful in identifying the source of bad connection attempts.  I don't recall the token being visible and since any invalid token has no categorization with internal input configurations some real advanced answers are unlikely.  I also don't recall any capability to receive and process data without a valid token as it would create data poisoning issues along with license capacity issues to do so.

dural_yyz_0-1734538912563.png

UPDATE

Sorry, it just dawned on me this was for OTEL not Splunk receiving. 

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...