Getting Data In

Using Splunk HEC and validating Certificates

Kamaal_Mohammed
New Member

Hi 

I have seen that when I am doing a post request to "https://splunk_host:8088/services/collector/event" with validate_cert=False its successfully sending the data to Splunk from my application. Where as when I tried with validate_cert=True i am getting errors like "Self signed Certificate error " or 

Cannot connect to host localhost:8088 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

so what should I do to not get this error. 

Labels (1)
0 Karma

emallinger
Communicator

Hi,

Did you find what was wrong ?

I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :

 

Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

Any idea ?

Thanks

Ema

0 Karma

codebuilder
Influencer

If you are trying to test sending data to your HEC then you need to pass in the token, not the certs.
Something like:

curl -k  https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}


See the documentation for more info.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Data/UsetheHTTPEventCollector#Send_data_t...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

Kamaal_Mohammed
New Member

Hi

I have done that with curl it works fine but when comes to my application when I try with 

request = HTTPRequest(url, method='POST', body=json.dumps(body), headers=headers)
response = await HttpUtils.make_async_request(request, eat_exceptions=False)

where URL is  

https://hec.example.com:8088/services/collector/event

and I am passing the token too like

headers = {'Authorization': 'Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0'}

Still I am getting the error of 'SSL:-self-signed certificate in chain' whereas when I try with curl no error.

0 Karma

harsmarvania57
Ultra Champion

It looks like you are using Python to push data in Splunk via HEC, can you please let us know which python modules are you using?

0 Karma

anilchaithu
Builder

@Kamaal_Mohammed 

 

How did you configure ssl cert on this host? Is it using default cert OR CA-signed cert (internal OR external).

you can find this by using the btool command

/opt/splunk/bin/splunk btool inputs list http --debug | grep serverCert

You need to copy over the root cert from the above path to the source from which you are doing this post request.

 

 

-- Hope this helps

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...