Hec token with "Enable indexer acknowledgement" di...

charival · ‎01-08-2023

Hi Team,

Greetings !

I have setup a Splunk on-prem cluster, and data is feed via HEC endpoints.

Here is my HEC token config from inputs.conf

```

[http://IntegrationAckDisabledToken]
disabled = 0
index = integrationindex
indexes =
token = 7XXXX31-58b6-4cf1-XXXXX62d04f
useACK = 0
sourcetype = json_no_timestamp

```

And the I send some data with channel in the header via the /services/collector/raw

And when tried to get the ack using /services/collector/ack as below

curl -X POST "https://mysplunkindexersembhost.com:443/services/collector/ack" \

-H "Authorization: Splunk7XXXX31-58b6-4cf1-XXXXX62d04f" \

-H "X-Splunk-Request-Channel: 145f3699-fd99-42d0-8de9-28b06d937020" \

-H 'Cookie: AWSELB=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/,AWSELBCORS=FF6555991411317BBD0C6BAFAEC17450AEAB59750AD6BBA95014FF6232545C060FA98123AD1E3A3006CFDC8289B5ED36B75E48C0BD41396B8FB5F7902DC4C2CA7C3C61AAC3;PATH=/"' \

-H "Content-Length: 12" \

-H "Connection: Keep-Alive" \

-d '{"acks":[1]}' -k

I expected HTTP -400 {"text":"ACK is disabled","code":14}

but received HTTP - 200 {"acks":{"1":true}}

I'm wondering why?

One side note is, I initially created the HEC token with useACK =1, via CLI.

Later disabled the ACK, via UI.

Any gurus in this community seen such behavior?

Thanks,

CG

Hec token with "Enable indexer acknowledgement" disabled , but the /ack returns success, but expected "ACK is disabled"?

configuration

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?