Getting Data In

Splunk Cloud Trial and Http Event Collector - NOT WORKING

simpkins1958
Contributor

I have the 15 day trial version of Splunk Cloud. The Http Event Collector documentation http://dev.splunk.com/view/event-collector/SP-CAAAE7F says: Note: To turn on HTTP Event Collector in Splunk Cloud, file a request ticket with Splunk Support.

Since this is a trial version I am not allowed to submit a support ticket. How do I get Http Event Collector enabled?

1 Solution

gblock_splunk
Splunk Employee
Splunk Employee

Hi @simpkins1958.

You can now enable HTTP Event Collector yourself in Trial / Single Instance. Go to Settings->Data Inputs->HTTP Event Collector from there you can enable the collector and create a token.

In order to create requests, you need to prefix the URI of your cloud instance with "input-", i.e. see the curl below

curl -k https://input-prd-p-j65vnzzl9wc8.cloud.splunk.com:8088/services/collector -H 'Authorization: Splunk  498FEC9B-86E2-4CD0-B489-4A55E2D52B07' -d '{"event":"event1"} {"event":"event2"}'

Notice I've added "input-" then the instance. Also the port + /services/collector endpoint are there.

As a side note, Splunk Cloud trial uses a self-signed cert, so you need to disabled cert validation if using HTTPS which is what the '-k' switch does with curl.

Let me know if you have any issues.

Thanks
Glenn

View solution in original post

kayvank
New Member

for the trial account you can do this manually.
for the paid subscription of splunk cloud, you have to open a ticket with splunk & they will generate the token & open the port.
Kayvan

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Want to give an update here. I am working directly with Microsoft now as it looks like the "may" be a bug in the HTTP stack for .NET that is preventing allowing you to ignore self-signed Elliptical Curved Certs (which Splunk Cloud uses). I'll update back when I know for sure and if there any next steps.

0 Karma

simpkins1958
Contributor

Thanks for the update.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

New update.

This will not work today in cloud trial or single instance. We are addressing this though and should have this fixed in a few weeks

I have validated that it works fine in a clustered Splunk Cloud environment.

Thanks for your patience.

0 Karma

voffka_otryshko
Explorer

@gblock_splunk - has it been addressed? I'm still getting "The request was aborted: Could not create SSL/TLS secure channel." while trying to send an event to Http EventCollector on Splunk Cloud instance. I tried all combinations of SecurityProtocol with and without Expect100Continue set.

I enabled Http Event Collector in Global Settings of my Splunk Cloud instance and use https://input-prd-p-j7g8t4ng4kxc.cloud.splunk.com:8088/services/collector/event as a post target url.

The same client code worked for a on-prem install of Splunk Light.

Thanks
Voffka

0 Karma

aidanmorgan
New Member

@gblock_splunk has it been addressed> I activated a new Splunk Cloud trial today and I am hitting this error. I've even manually installed the generated certificate into my certificate store and it still returns this error.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Hi @simpkins1958.

You can now enable HTTP Event Collector yourself in Trial / Single Instance. Go to Settings->Data Inputs->HTTP Event Collector from there you can enable the collector and create a token.

In order to create requests, you need to prefix the URI of your cloud instance with "input-", i.e. see the curl below

curl -k https://input-prd-p-j65vnzzl9wc8.cloud.splunk.com:8088/services/collector -H 'Authorization: Splunk  498FEC9B-86E2-4CD0-B489-4A55E2D52B07' -d '{"event":"event1"} {"event":"event2"}'

Notice I've added "input-" then the instance. Also the port + /services/collector endpoint are there.

As a side note, Splunk Cloud trial uses a self-signed cert, so you need to disabled cert validation if using HTTPS which is what the '-k' switch does with curl.

Let me know if you have any issues.

Thanks
Glenn

emasyakin
Engager

I`m investigating a tool for .NET app logs management. This issue killed 2 days of my time.
Why to use trial with self-signed cert with outdated security cipher while you have readily available *.cloud.splunk.com that you can use instead?

Still my logs do not come from .NET app over https to trial box. And yes - https is a requirement.

I tried pretty much every .NET https security option and their combinations I could.

simpkins1958
Contributor

Thanks Glenn. I added the prefix and postfix and I am able to get it to work with curl. But it is not working when using from our C# code using our version of Splunk.Logging.Common. HTTPS is working fine from our C# code when sending data to an on prem instance of Splunk, but not Splunk Cloud. I will keep investigating.

0 Karma

kayvank
New Member

input- resolved my issue too. thanks

0 Karma

simpkins1958
Contributor

And we have disabled cert validation using:

            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) =>
            {
                return true;
            };
0 Karma

simpkins1958
Contributor

InnerException is:

  • InnerException {"The request was aborted: Could not create SSL/TLS secure channel."} System.Exception {System.Net.WebException}
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Try setting the security policy to use TLS.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

I am going to do a test against a trial instance we just deployed and see if that works.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Jim, what version of Windows are you running? Splunk Cloud uses Elliptical Curve certs. I've noticed on Stack Overflow, some folks having issues with this type of cert.

0 Karma

simpkins1958
Contributor

My dev VM I am running from is Windows 2008 R2. I will try on a Windows 2012 server.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

OK, I found something based on this article.

Try this:

ServicePointManager.Expect100Continue = true;
0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

Looks like there are multiple reasons this can happen. I am going to try Windows 10 and see if I experience the same.

0 Karma

simpkins1958
Contributor

I tried on Windows 2012 R2 server, and it is also not working with splunk cloud but works with my local splunk server.

0 Karma

gblock_splunk
Splunk Employee
Splunk Employee

I tried on Windows 10, and am hitting the same issue. My strong hunch at this point is the Elliptical Curve certs may be the issue, though I cannot say for sure.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...