Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

POST HTTP event to splunk : call not properly authenticated- Why am I getting this?

rsarode
Engager
‎04-11-2017 03:21 PM

Trying to POST events to splunk using HTTP. This local on prem splunk installation.
For now I am getting this -

rsarode-mac:splunk rugvedsarode$ curl -k -H "Authorization: Splunk <MY-TOKEN-ID> https://localhost:8001/services/collector/event -d '{"event":"hello world"}'
<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="WARN">call not properly authenticated</msg>
  </messages>
</response>

I saw this but it did not help - https://answers.splunk.com/answers/406291/using-java-to-make-a-rest-api-call-to-splunk-why-a.html?ut...

I even tried to add "-u admin:". But still same issue.
Note my - mgmtHostPort = 127.0.0.1:8001

Furthermore, what is the corresponding header key value for curl "-k" option? Like we have
Content-Type: text/xml; OR
Connection: Keep-Alive;

Labels (1)
Labels
Reply

TonyLeeVT
Builder
‎11-15-2018 08:48 AM

I had this same issue. There is a global settings button in the top right hand corner of the HTTP Event Collector screen. You may have a little warning symbol up there that states that you need to enable HEC within Global Settings.

0 Karma
Reply

DanPederEriksen
New Member
‎08-04-2017 04:33 AM

I experienced the same problem and did the following to solve it:

  1. Enable the http collector: "You enable it in self-service Splunk Cloud by going to Settings > Data Inputs > HTTP Event Collector > Global Settings, and then clicking Enabled"
  2. Create a http collector token.
  3. Restart splunk
  4. The following curl command then worked: curl -k -H "Authorization: Splunk " https://localhost:8088/services/collector/evenrcetype", "event": "http auth ftw!"}'

http://dev.splunk.com/view/event-collector/SP-CAAAE7G

0 Karma
Reply

alexbo27
New Member
‎10-02-2022 04:09 PM

the curl command in #4 is malformed... opening curly is missing, auth token? or it should be empty?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...