Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

HTTP Event Collector URL

hnfd73hd8sjhDD
Engager
‎01-31-2021 04:23 AM

Hi,

I'm using the free cloud trial, and none of the URLs suggested within the documentation work.

[HOST]/services/collector throws a 303 error, redirecting to [HOST]/en-GB/services/collector which in turn throws a 404 error.

input-[HOST], inputs-[HOST], http-inputs-[HOST] do not resolve.

inputs.[HOST] resolves, but throws an SSL error as the wildcard cert attached to it does not cover the extra tier in the FQDN.

[HOST]:8088 resolves, but throws an SSL error as the cert attached to it does not match the FQDN (SplunkServerDefaultCert).

Any idea what I should be using?

TIA,
Martin...

 

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-01-2021 11:55 PM

Hi @hnfd73hd8sjhDD,

I believe Splunk Free Cloud Trail uses self sign certificate. That is why you may need to disable certificate check on your tests.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

hnfd73hd8sjhDD
Engager
‎02-02-2021 04:20 AM

I've just tried using curl (with verification off) and it works ok (event ends up in the right place).

(thanks for your help).

Seems like a potential bin-fire in the waiting for anyone evaluating Splunk though. Someone now has to remember to re-enable TLS validation if they move from free to cloud/enterprise, otherwise their sensitive log data is accessible by anyone along the network path who wants to MITM the connection.

Martin...

0 Karma
Reply

hnfd73hd8sjhDD
Engager
‎02-02-2021 03:13 AM

Thanks for your reply.

Is that a definite (have you tried it yourself?)

The problem is that the library I'm using doesn't have the ability to disable SSL validation (it's an intentional choice: if it isn't there as an option, someone can't accidentally make a mistake and push it to a live environment).

If that is the case, then the documentation definitely needs cleaning up, and a note added to this effect (apart from there being contradicting examples in ther same document about which URI to use). 😉

Martin...

 

 

 

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-02-2021 04:17 AM

As far as I know it is self signed for free trial. But this is not a new info.

You can confirm with Splunk support.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-01-2021 08:52 PM

Hi @hnfd73hd8sjhDD,

According to documentation our should use below URL; (you should replace stackname with yours)

https://stackname.splunkcloud.com:8088/services/collector/event

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

hnfd73hd8sjhDD
Engager
‎02-01-2021 11:46 PM

Hi,

Thanks for the reply!

As noted: using that URI throws an SSL error as the certificate doesn't match (the cert returned is a default one, not the one for the stack).

Any other suggestions?

Martin...

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...