I am trying to list existing HEC tokens with curl command as below:
curl -k -u admin:<admin_password> http://<splunk_enterprise_instance_ip>:8089/servicesNS/admin/splunk_httpinput/data/inputs/http -v
It retruned as below:
* Trying 192.168.30.128...
* TCP_NODELAY set
* Connected to 192.168.30.128 (192.168.30.128) port 8089 (#0)
* Server auth using Basic with user 'admin'
> GET /servicesNS/admin/splunk_httpinput/data/inputs/http HTTP/1.1
> Host: <splunk_enterprise_instance_ip>:8089
> Authorization: Basic YWRtaW46UGFzc3dvcmQwMTIzIQ==
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
From splunkd.log:
01-09-2023 11:42:33.082 +0800 WARN HttpListener [3447 HttpDedicatedIoThread-0] - Socket error from <splunk_enterprise_instance_ip>:38846 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
It seems this is ownign to SSL.
However, I have disbaled SSL in both Splunk Enterprise Instance and HEC, from inputs.conf:
[dujas@centos8-1 local]$ cat /home/dujas/splunk/etc/apps/splunk_httpinput/local/inputs.conf
[http]
disabled = 0
enableSSL = 0
May I l know how I could make the http work?
Thanks.
I noticed the splunkdssl is enabled by default in server.conf, after disabling it in config file:
[sslConfig]
enableSplunkdSSL = False
Afterwards, I issued the same curl command and got output as below:
<entry>
<title>http://test3</title>
<id>http://<splunk_enterprise_instance_IP>:8089/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3</id>
<updated>2023-01-09T14:05:29+08:00</updated>
<link href="/servicesNS/nobody/splunk_httpinput/data/inputs/http/http%3A%252F%252Ftest3" rel="alternate"/>
<author>
<name>admin</name>
</author>
Token "test3" is the one I create via "http-event-collector" command, it could be loaded successfully, but for tokens created via GUI (before disabling splunkdssl), they are still failed to retrieve.
Any ideas why would that happen?