Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using Splunk HEC and validating Certificates

Kamaal_Mohammed
New Member
‎08-12-2021 07:38 AM

Hi 

I have seen that when I am doing a post request to "https://splunk_host:8088/services/collector/event" with validate_cert=False its successfully sending the data to Splunk from my application. Where as when I tried with validate_cert=True i am getting errors like "Self signed Certificate error " or 

Cannot connect to host localhost:8088 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

so what should I do to not get this error. 

Labels (1)
Labels
0 Karma
Reply

emallinger
Communicator
‎02-09-2023 11:11 PM

Hi,

Did you find what was wrong ?

I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :

 

Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

Any idea ?

Thanks

Ema

0 Karma
Reply

codebuilder
Influencer
‎08-12-2021 09:00 AM

If you are trying to test sending data to your HEC then you need to pass in the token, not the certs.
Something like:

curl -k  https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}


See the documentation for more info.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Data/UsetheHTTPEventCollector#Send_data_t...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

Kamaal_Mohammed
New Member
‎08-13-2021 01:42 AM

Hi

I have done that with curl it works fine but when comes to my application when I try with 

request = HTTPRequest(url, method='POST', body=json.dumps(body), headers=headers)
response = await HttpUtils.make_async_request(request, eat_exceptions=False)

where URL is  

https://hec.example.com:8088/services/collector/event

and I am passing the token too like

headers = {'Authorization': 'Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0'}

Still I am getting the error of 'SSL:-self-signed certificate in chain' whereas when I try with curl no error.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎08-13-2021 05:14 AM

It looks like you are using Python to push data in Splunk via HEC, can you please let us know which python modules are you using?

0 Karma
Reply

anilchaithu
Builder
‎08-12-2021 08:01 AM

@Kamaal_Mohammed 

 

How did you configure ssl cert on this host? Is it using default cert OR CA-signed cert (internal OR external).

you can find this by using the btool command

/opt/splunk/bin/splunk btool inputs list http --debug | grep serverCert

You need to copy over the root cert from the above path to the source from which you are doing this post request.

 

 

-- Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...