Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What kind of log is this (from Proxy access logs)

aaronnicoli
Path Finder
‎09-05-2016 07:01 PM

Hi all,

I'm trying to identify what this is in my access logs:

POST http://123.123.123.123/open/1

Followed by thousands of:

POST http://123.123.123.123/IVmYwvJKhJFesFjK/1001
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1002
POST http://123.123.123.123/IVmYwvJKhJFesFjK/1003
...

Obviously the actual IP is omitted (pub internet address).

Your help would make my day!

Thanks all

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dperre_splunk
Splunk Employee
Splunk Employee
‎10-02-2016 06:43 PM

Whilst I can't be sure what this is the following link looks very similar to what your logs are saying.
https://en.wikipedia.org/wiki/Real-Time_Messaging_Protocol

*

HTTP tunneling
In RTMP Tunneled (RTMPT), RTMP data is encapsulated and exchanged via HTTP, and messages from the client (the media player, in this case) are addressed to port 80 (the default for HTTP) on the server.
While the messages in RTMPT are larger than the equivalent non-tunneled RTMP messages due to HTTP headers, RTMPT may facilitate the use of RTMP in scenarios where the use of non-tunneled RTMP would otherwise not be possible, such as when the client is behind a firewall that blocks non-HTTP and non-HTTPS outbound traffic.
The protocol works by sending commands through the POST URL, and AMF messages through the POST body. An example is
POST /open/1 HTTP/1.1
for a connection to be opened.

View solution in original post

Reply
Solved! Jump to solution
Solution

dperre_splunk
Splunk Employee
Splunk Employee
‎10-02-2016 06:43 PM

Whilst I can't be sure what this is the following link looks very similar to what your logs are saying.
https://en.wikipedia.org/wiki/Real-Time_Messaging_Protocol

*

HTTP tunneling
In RTMP Tunneled (RTMPT), RTMP data is encapsulated and exchanged via HTTP, and messages from the client (the media player, in this case) are addressed to port 80 (the default for HTTP) on the server.
While the messages in RTMPT are larger than the equivalent non-tunneled RTMP messages due to HTTP headers, RTMPT may facilitate the use of RTMP in scenarios where the use of non-tunneled RTMP would otherwise not be possible, such as when the client is behind a firewall that blocks non-HTTP and non-HTTPS outbound traffic.
The protocol works by sending commands through the POST URL, and AMF messages through the POST body. An example is
POST /open/1 HTTP/1.1
for a connection to be opened.
Reply
Solved! Jump to solution

aaronnicoli
Path Finder
‎10-03-2016 02:11 PM

Thank you!

That's steered me in the right direction.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...