Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Different authentications for HEC Token

lqiao
Explorer
‎01-02-2018 02:23 PM

Hi,

I am following this online doc to test the three authentication for HEC tokens: http://dev.splunk.com/view/event-collector/SP-CAAAE7G. I don't understand why only HTTP authentication works while the other two gave different errors. Is it a permission issue? Please help. Thank you.

HTTP Authentication:
Command: curl -k http://hostname:8088/services/collector -H 'Authorization: Splunk tokenId' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Success","code":0}

Basic Authentication:
Command: curl -k -u "x:tokenID" http://hostname:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Invalid authorization","code":3}

Query String:
Command: curl -k http://hostname:8088/services/collector/event?token=tokenId -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
Result: {"text":"Token is required","code":2}

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

outcoldman
Communicator
‎01-03-2018 08:38 AM

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

outcoldman
Communicator
‎01-03-2018 08:38 AM

Basic authentication and query string authentications are new features in Splunk 6.6 and above http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth (documentation has misprint, that this is available starting from 6.4)

Query authentication is disabled by default, see http://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Inputsconf, so you need to enable it to use the basic authentication or query parameters for authentication

[http://name]
...
allowQueryStringAuth = [true|false]

Updated 2018-01-03 based on @lqiao clarification

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-04-2018 03:07 PM

Hi outcoldman,

You are correct. I'd like to amend something to your answers after my testing. It is not your mistake. It is a Splunk doc issue.

Even in this doc http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth, it says that "Basic authentication and query string authentications are new features in Splunk 6.4 and above.", basic and query string authentications are not working on Splunk 6.4.3, see the result in my question.

I tested on Splunk 6.5.6 (latest 6.5 version), basic authentication is working here. Query string authentication gave {"text":"Token is required","code":2} error, meaning that it is not supported on 6.5 version.

I tested also on Splunk 6.6.5 (latest 6.6 version), both basic authentication and query string authentication are supported. 6.6.0 is the first version supporting configuration allowQueryStringAuth. Splunk doc says by default, allowQueryStringAuth = false, so result: {"text":"Query string authorization is not enabled","code":16}. After setting it to true, result is {"text":"Success","code":0}. This setting is not visible in the default inputs.conf.

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-04-2018 05:24 PM

I have updated my answer, thank you for clarification!

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-02-2018 10:26 PM

Which Splunk version are you using? I believe another two were added later, not on the initial release.

Reply
Solved! Jump to solution

lqiao
Explorer
‎01-03-2018 08:28 AM

Thank you. I am using Splunk 6.4.3. I can test with higher version today.

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-03-2018 08:35 AM

Actually docs say that it should be available with 6.4.x http://dev.splunk.com/view/event-collector/SP-CAAAE8Y#basicauth

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-03-2018 08:38 AM

Looking at the example, it mentions:

Using Basic auth (6.5.0 and later only)

wrong in the doc?

0 Karma
Reply
Solved! Jump to solution

outcoldman
Communicator
‎01-03-2018 05:31 PM

Seems like somewhere is a mistake, please send a feedback

0 Karma
Reply
Solved! Jump to solution

lqiao
Explorer
‎01-04-2018 03:09 PM

I never hear my feedback back. I did more testing and added comment to your answer. Thanks for your answer. I don't want to accept it directly as the version part might confuse other people. It is not your mistake. My comment is being reviewed by the moderator.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...