Installation

Why can't I add an event to HEC in my splunk cloud trial env?

jeffa2
Explorer

hello!  I am getting an error trying to add a "hello world" event into my splunk cloud trial environment.  I'm looking for help to see what the issue could be.  I am getting what looks like an SSL error.  I added certs to my ubuntu VM but that didn't seem to help.  Maybe it's a network fw error of some kind?  Is the IP source of my env somehow blacklisted on your end?  Not certain but think it could be the case, maybe you can help me?

In my virtual network, I can connect fine from my VM... here's a simple connection:

sudo telnet prd-p-ki5a7.splunkcloud.com 8088
Trying 44.206.98.245...
Connected to prd-p-ki5a7.splunkcloud.com.

When I try this curl command …

curl -k https://prd-p-ki5a7.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk <token> -d '{"event": "hello world"}'

…I get this:

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to prd-p-ki5a7.splunkcloud.com:8088

...however if I try it on a different network, it works fine.  Any way you can help me troubleshoot this one?

Labels (1)
0 Karma

jeffa2
Explorer

any ideas?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I’m not sure if this is valid also for SC trial or not (probably it is)? Are you sure for the endpoint? Usually it’s different see https://community.splunk.com/t5/Getting-Data-In/What-is-the-URI-for-HTTP-Event-Collector-for-Splunk-...
Here is instructions how to modify access to those https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Admin/ConfigureIPAllowList
r. Ismo

0 Karma

jeffa2
Explorer

Thanks for the ideas!  Nslookup on both of these hosts worked:

inputs.prd-p-ki5a7.splunkcloud.com
prd-p-ki5a7.splunkcloud.com


...And this command worked fine against both on my ordinary network:

curl -k https://<HOST>:8088/services/collector/event -H "Authorization: Splunk <TOKEN>" -d '{"event": "hello world"}'

...but from within my virutal environment from inside a VM, I am still getting this:

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to inputs.prd-p-ki5a7.splunkcloud.com:8088

Is there a way to turn off SSL in the trial environment?  Or is there/would it be a different port number?

Thank you! Jeff

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You cannot turn off SSL from SC.
0 Karma

jeffa2
Explorer

Do you know of any kind of network security/firewall rules in place in the trial environment that could cause connection issues? 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

No I don’t. But if it works outside of your virtual environment and doesn’t work from it, I will look how your virtual environment and its network part (e.g. NAT) has configured.

0 Karma

jeffa2
Explorer

I've reached the conclusion this is in fact some kind of network rule on our end, stopping TLS traffic to non-standard ports (443/8443).  The team hasn't figured out what rule to modify.  I know I can't change this port number in my trial account, but would someone be able to change port 8088 to port 8443 for me?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...