Getting Data In

Why did curl failed with error code 56?

dujas
Explorer

I am trying to list existing HEC tokens with curl command as below:

 

 

curl -k -u admin:<admin_password> http://<splunk_enterprise_instance_ip>:8089/servicesNS/admin/splunk_httpinput/data/inputs/http -v

 

 

It retruned as below:

 

 

*   Trying 192.168.30.128...
* TCP_NODELAY set
* Connected to 192.168.30.128 (192.168.30.128) port 8089 (#0)
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/splunk_httpinput/data/inputs/http HTTP/1.1
> Host: <splunk_enterprise_instance_ip>:8089
> Authorization: Basic YWRtaW46UGFzc3dvcmQwMTIzIQ==
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

 

 

From splunkd.log: 

 

 

01-09-2023 11:42:33.082 +0800 WARN  HttpListener [3447 HttpDedicatedIoThread-0] - Socket error from <splunk_enterprise_instance_ip>:38846 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

 

 

It seems this is ownign to SSL.

However, I have disbaled SSL in both Splunk Enterprise Instance and HEC, from inputs.conf:

 

 

[dujas@centos8-1 local]$ cat /home/dujas/splunk/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
enableSSL = 0

 

 

May I l know how I could make the http work?

Thanks.

Labels (1)
Tags (2)
0 Karma

dujas
Explorer

I noticed the splunkdssl is enabled by default in server.conf, after disabling it in config file:

 

[sslConfig]
enableSplunkdSSL = False

 

Afterwards, I issued the same curl command and got output as below:

<entry>
    <title>http://test3</title>
    <id>http://<splunk_enterprise_instance_IP>:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3</id>
    <updated>2023-01-09T14:05:29+08:00</updated>
    <link href="/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3" rel="alternate"/>
    <author>
      <name>admin</name>
    </author>

Token "test3" is the one I create via "http-event-collector" command, it could be loaded successfully, but for tokens created via GUI (before disabling splunkdssl), they are still failed to retrieve.

Any ideas why would that happen?

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...