Getting Data In

Using Splunk HEC and validating Certificates

Kamaal_Mohammed
New Member

Hi 

I have seen that when I am doing a post request to "https://splunk_host:8088/services/collector/event" with validate_cert=False its successfully sending the data to Splunk from my application. Where as when I tried with validate_cert=True i am getting errors like "Self signed Certificate error " or 

Cannot connect to host localhost:8088 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

so what should I do to not get this error. 

Labels (1)
0 Karma

emallinger
Communicator

Hi,

Did you find what was wrong ?

I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :

 

Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

Any idea ?

Thanks

Ema

0 Karma

codebuilder
Influencer

If you are trying to test sending data to your HEC then you need to pass in the token, not the certs.
Something like:

curl -k  https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}


See the documentation for more info.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Data/UsetheHTTPEventCollector#Send_data_t...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

Kamaal_Mohammed
New Member

Hi

I have done that with curl it works fine but when comes to my application when I try with 

request = HTTPRequest(url, method='POST', body=json.dumps(body), headers=headers)
response = await HttpUtils.make_async_request(request, eat_exceptions=False)

where URL is  

https://hec.example.com:8088/services/collector/event

and I am passing the token too like

headers = {'Authorization': 'Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0'}

Still I am getting the error of 'SSL:-self-signed certificate in chain' whereas when I try with curl no error.

0 Karma

harsmarvania57
Ultra Champion

It looks like you are using Python to push data in Splunk via HEC, can you please let us know which python modules are you using?

0 Karma

anilchaithu
Builder

@Kamaal_Mohammed 

 

How did you configure ssl cert on this host? Is it using default cert OR CA-signed cert (internal OR external).

you can find this by using the btool command

/opt/splunk/bin/splunk btool inputs list http --debug | grep serverCert

You need to copy over the root cert from the above path to the source from which you are doing this post request.

 

 

-- Hope this helps

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...