Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using Splunk HEC and validating Certificates

Kamaal_Mohammed
New Member
‎08-12-2021 07:38 AM

Hi 

I have seen that when I am doing a post request to "https://splunk_host:8088/services/collector/event" with validate_cert=False its successfully sending the data to Splunk from my application. Where as when I tried with validate_cert=True i am getting errors like "Self signed Certificate error " or 

Cannot connect to host localhost:8088 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

so what should I do to not get this error. 

Labels (1)
Labels
0 Karma
Reply

emallinger
Communicator
‎02-09-2023 11:11 PM

Hi,

Did you find what was wrong ?

I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :

 

Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

Any idea ?

Thanks

Ema

0 Karma
Reply

codebuilder
Influencer
‎08-12-2021 09:00 AM

If you are trying to test sending data to your HEC then you need to pass in the token, not the certs.
Something like:

curl -k  https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}


See the documentation for more info.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Data/UsetheHTTPEventCollector#Send_data_t...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

Kamaal_Mohammed
New Member
‎08-13-2021 01:42 AM

Hi

I have done that with curl it works fine but when comes to my application when I try with 

request = HTTPRequest(url, method='POST', body=json.dumps(body), headers=headers)
response = await HttpUtils.make_async_request(request, eat_exceptions=False)

where URL is  

https://hec.example.com:8088/services/collector/event

and I am passing the token too like

headers = {'Authorization': 'Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0'}

Still I am getting the error of 'SSL:-self-signed certificate in chain' whereas when I try with curl no error.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-13-2021 05:14 AM

It looks like you are using Python to push data in Splunk via HEC, can you please let us know which python modules are you using?

0 Karma
Reply

anilchaithu
Builder
‎08-12-2021 08:01 AM

@Kamaal_Mohammed 

 

How did you configure ssl cert on this host? Is it using default cert OR CA-signed cert (internal OR external).

you can find this by using the btool command

/opt/splunk/bin/splunk btool inputs list http --debug | grep serverCert

You need to copy over the root cert from the above path to the source from which you are doing this post request.

 

 

-- Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top