Security

Different authentications for HEC Token

lqiao
Explorer

Hi,

I am following this online doc to test the three authentication for HEC tokens: http://dev.splunk.com/view/event-collector/SP-CAAAE7G. I don't understand why only HTTP authentication works while the other two gave different errors. Is it a permission issue? Please help. Thank you.

HTTP Authentication:
Command: curl -k http://hostname:8088/services/collector -H 'Authorization: Splunk tokenId' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Success","code":0}

Basic Authentication:
Command: curl -k -u "x:tokenID" http://hostname:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Invalid authorization","code":3}

Query String:
Command: curl -k http://hostname:8088/services/collector/event?token=tokenId -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Token is required","code":2}

Tags (1)
0 Karma
1 Solution

outcoldman
Communicator

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

View solution in original post

0 Karma

outcoldman
Communicator

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

0 Karma

lqiao
Explorer

Hi outcoldman,

You are correct. I'd like to amend something to your answers after my testing. It is not your mistake. It is a Splunk doc issue.

Even in this doc http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth, it says that "Basic authentication and query string authentications are new features in Splunk 6.4 and above.", basic and query string authentications are not working on Splunk 6.4.3, see the result in my question.

I tested on Splunk 6.5.6 (latest 6.5 version), basic authentication is working here. Query string authentication gave {"text":"Token is required","code":2} error, meaning that it is not supported on 6.5 version.

I tested also on Splunk 6.6.5 (latest 6.6 version), both basic authentication and query string authentication are supported. 6.6.0 is the first version supporting configuration allowQueryStringAuth. Splunk doc says by default, allowQueryStringAuth = false, so result: {"text":"Query string authorization is not enabled","code":16}. After setting it to true, result is {"text":"Success","code":0}. This setting is not visible in the default inputs.conf.

0 Karma

outcoldman
Communicator

I have updated my answer, thank you for clarification!

0 Karma

outcoldman
Communicator

Which Splunk version are you using? I believe another two were added later, not on the initial release.

lqiao
Explorer

Thank you. I am using Splunk 6.4.3. I can test with higher version today.

0 Karma

outcoldman
Communicator

Actually docs say that it should be available with 6.4.x http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth

0 Karma

lqiao
Explorer

Looking at the example, it mentions:

Using Basic auth (6.5.0 and later only)

wrong in the doc?

0 Karma

outcoldman
Communicator

Seems like somewhere is a mistake, please send a feedback

0 Karma

lqiao
Explorer

I never hear my feedback back. I did more testing and added comment to your answer. Thanks for your answer. I don't want to accept it directly as the version part might confuse other people. It is not your mistake. My comment is being reviewed by the moderator.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...