Security

Different authentications for HEC Token

lqiao
Explorer

Hi,

I am following this online doc to test the three authentication for HEC tokens: http://dev.splunk.com/view/event-collector/SP-CAAAE7G. I don't understand why only HTTP authentication works while the other two gave different errors. Is it a permission issue? Please help. Thank you.

HTTP Authentication:
Command: curl -k http://hostname:8088/services/collector -H 'Authorization: Splunk tokenId' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Success","code":0}

Basic Authentication:
Command: curl -k -u "x:tokenID" http://hostname:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Invalid authorization","code":3}

Query String:
Command: curl -k http://hostname:8088/services/collector/event?token=tokenId -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Token is required","code":2}

Tags (1)
0 Karma
1 Solution

outcoldman
Communicator

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

View solution in original post

0 Karma

outcoldman
Communicator

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

0 Karma

lqiao
Explorer

Hi outcoldman,

You are correct. I'd like to amend something to your answers after my testing. It is not your mistake. It is a Splunk doc issue.

Even in this doc http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth, it says that "Basic authentication and query string authentications are new features in Splunk 6.4 and above.", basic and query string authentications are not working on Splunk 6.4.3, see the result in my question.

I tested on Splunk 6.5.6 (latest 6.5 version), basic authentication is working here. Query string authentication gave {"text":"Token is required","code":2} error, meaning that it is not supported on 6.5 version.

I tested also on Splunk 6.6.5 (latest 6.6 version), both basic authentication and query string authentication are supported. 6.6.0 is the first version supporting configuration allowQueryStringAuth. Splunk doc says by default, allowQueryStringAuth = false, so result: {"text":"Query string authorization is not enabled","code":16}. After setting it to true, result is {"text":"Success","code":0}. This setting is not visible in the default inputs.conf.

0 Karma

outcoldman
Communicator

I have updated my answer, thank you for clarification!

0 Karma

outcoldman
Communicator

Which Splunk version are you using? I believe another two were added later, not on the initial release.

lqiao
Explorer

Thank you. I am using Splunk 6.4.3. I can test with higher version today.

0 Karma

outcoldman
Communicator

Actually docs say that it should be available with 6.4.x http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth

0 Karma

lqiao
Explorer

Looking at the example, it mentions:

Using Basic auth (6.5.0 and later only)

wrong in the doc?

0 Karma

outcoldman
Communicator

Seems like somewhere is a mistake, please send a feedback

0 Karma

lqiao
Explorer

I never hear my feedback back. I did more testing and added comment to your answer. Thanks for your answer. I don't want to accept it directly as the version part might confuse other people. It is not your mistake. My comment is being reviewed by the moderator.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...