Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Which inbound/outbound ports should be opened to send data to HTTP Event Collector?

mark-jones
Explorer
‎09-12-2022 08:39 PM

Hello,

I understand that the HTTP Event Collector receives data over HTTPS on TCP port 8088 by default.

What i am wondering is if i have virtual machines running in the Azure cloud, do i need to open both inbound and outbound port 8088 in the Azure portal firewall settings?

Also, I was hoping to disable HTTPS by clicking on the Global Settings button at the top of the HTTP Event Collector management page in Splunk Cloud, but i see that it's greyed out.  I am in the admin role so is this changeable?

markjones_0-1663040295507.png

 

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-13-2022 07:25 PM

Hi @mark-jones,

You can try with -k option to disable the certificate check;

curl -k https://prd-p-dfnly.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk d44e106b-####-####-####-e7a44409e65c" -d "{\"event\": \"hello world\"}\" {\"text\": \"Success\", \"code\": \"0}"
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎09-12-2022 09:37 PM

Hi @mark-jones,

If you are using trial Splunk Cloud HEC port is 8088, but on production it is 443.

If you will collect data from virtual machines running on Azure , only outbound firewall rules will be enough. Connection is normal HTTP requests, that is why only one direction is enough.

Splunk Cloud does not allow changing HEC global settings.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

mark-jones
Explorer
‎09-13-2022 09:50 AM

Hi scelikok

Thank you for the info.  

If the trial Splunk Cloud does not allow changing the global settings to disable https,  then i am now running into the issue with the following error message when trying to perform a simple curl command to test sending data to the indexer.

curl https://prd-p-dfnly.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk d44e106b-####-####-####-e7a44409e65c" -d "{\"event\": \"hello world\"}\" {\"text\": \"Success\", \"code\": \"0}"
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I verified the outbound ports are open and was able to ping prd-p-dfnly.splunkcloud.com:8088

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...