Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cna't Connect to HTTP Event Collector Endpoint with My Certificate

diavolo
Path Finder
‎01-16-2018 07:32 PM

I installed my certificate into $SPLUNK_HOME/etc/auth/splunkweb. I can access Splunk Web on browser but, HTTP Event Collector ends with timeout.

Server: EC2 (OS: Amazon Linux)
Splunk Version: 7.0.1
Certificate: Let's Encrypt

inputs.conf
[http]
disabled = 0
serverCert = $SPLUNK_HOME/etc/auth/splunkweb/cert.pem

So far as I tested HEC on curl, connection fails before negotiation. How can I enable my certificate on HEC?

HEC Test by curl
My Certificate
$ curl -k https://xxxxxxx.com:8088/services/collector/event -H "Authorization: Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -d '{"event": "hello world"}' -v
* Trying xx.xxx.xxx.xxx...
* Connected to xxxxxxx.com (xx.xxx.xxx.xxx) port 8088 (#0)
* Operation timed out after 0 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 0 milliseconds with 0 out of 0 bytes received

Splunk Default Cert
$ curl -k https://xxxxxxx.com:8088/services/collector/event -H "Authorization: Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -d '{"event": "hello world"}' -v
* Trying xx.xxx.xxx.xxx...
* Connected to xxxxxxx.com (xx.xxx.xxx.xxx) port 8088 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: SplunkServerDefaultCert
* Server certificate: Splunk Inspection CA
* Server certificate: Splunk Root CA
...

0 Karma
Reply

ischoenmaker
Explorer
‎10-18-2018 04:49 AM

I think i have seen this while testing our ssl config for HEC. I think your cert chain is incomplete.
You have to supply your certs and key in the following way:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Security/HowtoprepareyoursignedcertificatesforSplu...

and if your key uses a password you can specify that in the [http] stanza with sslPassword
See also: https://answers.splunk.com/answers/462131/securing-http-event-collector.html#answer-692893

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...