Splunk Cloud Platform

HTTP Event Collector URL

hnfd73hd8sjhDD
Engager

Hi,

I'm using the free cloud trial, and none of the URLs suggested within the documentation work.

[HOST]/services/collector throws a 303 error, redirecting to [HOST]/en-GB/services/collector which in turn throws a 404 error.

input-[HOST], inputs-[HOST], http-inputs-[HOST] do not resolve.

inputs.[HOST] resolves, but throws an SSL error as the wildcard cert attached to it does not cover the extra tier in the FQDN.

[HOST]:8088 resolves, but throws an SSL error as the cert attached to it does not match the FQDN (SplunkServerDefaultCert).

Any idea what I should be using?

TIA,
Martin...

 

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @hnfd73hd8sjhDD,

I believe Splunk Free Cloud Trail uses self sign certificate. That is why you may need to disable certificate check on your tests.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

hnfd73hd8sjhDD
Engager

I've just tried using curl (with verification off) and it works ok (event ends up in the right place).

(thanks for your help).

Seems like a potential bin-fire in the waiting for anyone evaluating Splunk though. Someone now has to remember to re-enable TLS validation if they move from free to cloud/enterprise, otherwise their sensitive log data is accessible by anyone along the network path who wants to MITM the connection.

Martin...

0 Karma

hnfd73hd8sjhDD
Engager

Thanks for your reply.

Is that a definite (have you tried it yourself?)

The problem is that the library I'm using doesn't have the ability to disable SSL validation (it's an intentional choice: if it isn't there as an option, someone can't accidentally make a mistake and push it to a live environment).

If that is the case, then the documentation definitely needs cleaning up, and a note added to this effect (apart from there being contradicting examples in ther same document about which URI to use). 😉

Martin...

 

 

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

As far as I know it is self signed for free trial. But this is not a new info.

You can confirm with Splunk support.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @hnfd73hd8sjhDD,

According to documentation our should use below URL; (you should replace stackname with yours)

https://stackname.splunkcloud.com:8088/services/collector/event

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

hnfd73hd8sjhDD
Engager

Hi,

Thanks for the reply!

As noted: using that URI throws an SSL error as the certificate doesn't match (the cert returned is a default one, not the one for the stack).

Any other suggestions?

Martin...

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...