Hi @anmolxmr 

May i know which step or what error you got,..

more the details and more better the replies/answers will be, thanks. 

Hey @inventsekar context - I am using Splunk Enterprise running 9.4.7 and my HF is running 9.2.6

1. Created the KnowBe4 HEC Token on Heavy Forwarder

2. Created the index on the CM and pushed to the indexer cluster

3. Checked the FW logs and found that FW is accepting events from KnowBe4 IPs

4. Setup the index, sourcetype and 

5. Crafted a test HEC payload and sent to HF via localhost (the HF itself) and confirmed the events are being indexed to the "Default" index

6. Added the URL and necessary details to knowbe4 following the developer's document. (except for the Authorization parameter which I am unable to setup)

The missing items are as follows:

1. Haven't created the indexes.conf file on the HF, so I am unable to select the index from the drop-down within the HEC token settings on the UI. 

2. On the KnowBe4 side when I try to add the Authorization parameter with value "Splunk <HEC TOKEN>", it gives me an error saying "This value is blacklisted". Raised a support case with KnowBe4.

There is no ERROR or WARN log for any meaningful troubleshooting so I am unable to proceed further on this request. Raised a Splunk support ticket as well so that is in-progress as well.

Any ideas? 

Hi @anmolxmr 

The KnowBe4 side refuses to accept the Auth token value, raising a support case with KnowBe4 support (https://support.knowbe4.com/hc/en-us/requests/new)
seems to be the better way to fix this.

also, the guide seems to be misleading. They set the auth to Bearer Token, and add the Splunk token there - which makes no sense to me.
That will add a header called Authorization  with value Bearer yourHECtoken .
Then under custom headers, they add the same header again, but with the (proper) value of Splunk yourHECtoken . I would for sure set Auth to None, and see if that helps, thanks. 

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
----------------------------------------------------------------------------------------------

The integration still doesn't work. Getting the following error on the Heavy Forwarder where the connection has been made:

WARN HttpListenener [6454 HttpDedicatedIoThread-1] - Socket error from <Knowbe4 IP address> while idling: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca - please check the output of the `openssl verify` command for certificates involved; note that ig certificate validation is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.

Hi @anmolxmr 

may i know if you checked:

`openssl verify` command for certificates involved

also there is a discussion about this issue on the Splunk Slack Channel, could you pls check:

https://splunkcommunity.slack.com/archives/CDE623ETD/p1776776953119089

----------------------------------------------------------------------------------------------
If this post or any post addressed your question, could you pls:
Give it karma to show appreciation

PS - As of Apr 2026, my Karma Given is 2290 and my Karma Received is 494, lets revamp the Karma Culture!
Thanks and best regards, Sekar
----------------------------------------------------------------------------------------------

@inventsekar thanks for your help. I've joined the Slack community and tried a recommendation from there as well with no success.

Since we are ingesting the logs from SaaS to on-prem, the issue is likely in the SSL cert validation. We have requested for a domain and associated SSL cert.

Also scheduled a call with KnowBe4 support. Hopefully we are nearing resolution on this.