Getting Data In

Using Splunk HEC and validating Certificates

Kamaal_Mohammed
New Member

Hi 

I have seen that when I am doing a post request to "https://splunk_host:8088/services/collector/event" with validate_cert=False its successfully sending the data to Splunk from my application. Where as when I tried with validate_cert=True i am getting errors like "Self signed Certificate error " or 

Cannot connect to host localhost:8088 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)]

so what should I do to not get this error. 

Labels (1)
0 Karma

emallinger
Communicator

Hi,

Did you find what was wrong ?

I have a similar behaviour : curl with ssl to send HEC events works fine, but from a python app, not so well :

 

Socket error while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

 

Any idea ?

Thanks

Ema

0 Karma

codebuilder
Influencer

If you are trying to test sending data to your HEC then you need to pass in the token, not the certs.
Something like:

curl -k  https://hec.example.com:8088/services/collector/event -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}


See the documentation for more info.
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Data/UsetheHTTPEventCollector#Send_data_t...

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

Kamaal_Mohammed
New Member

Hi

I have done that with curl it works fine but when comes to my application when I try with 

request = HTTPRequest(url, method='POST', body=json.dumps(body), headers=headers)
response = await HttpUtils.make_async_request(request, eat_exceptions=False)

where URL is  

https://hec.example.com:8088/services/collector/event

and I am passing the token too like

headers = {'Authorization': 'Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0'}

Still I am getting the error of 'SSL:-self-signed certificate in chain' whereas when I try with curl no error.

0 Karma

harsmarvania57
Ultra Champion

It looks like you are using Python to push data in Splunk via HEC, can you please let us know which python modules are you using?

0 Karma

anilchaithu
Builder

@Kamaal_Mohammed 

 

How did you configure ssl cert on this host? Is it using default cert OR CA-signed cert (internal OR external).

you can find this by using the btool command

/opt/splunk/bin/splunk btool inputs list http --debug | grep serverCert

You need to copy over the root cert from the above path to the source from which you are doing this post request.

 

 

-- Hope this helps

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...