Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem with Curl Request to Splunk Server

btluynk
Loves-to-Learn Lots
‎01-16-2024 05:53 AM

Hi team,

I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance.

aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure

Output:

curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 06:54 AM

OK. Wait a second. Do you even have TLS enabled on this port?

Check output of

openssl s_client -connect your_splunk_ip:8088

for errors as well as check your _internal index for errors regarding your client's IP.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 07:02 AM

Hi team,

In this output, it appears that TLS is enabled based on the following information:

XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088

CONNECTED(00000003)

140704518969088:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 294 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Start Time: 1705416962

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

I dont understand but the "Protocol" field indicates TLS version 1.3, and the "Cipher" field would typically show the cipher suite being used. The "Verify return code" of 0 indicates that the certificate verification was successful. However, there is an error related to the TLS protocol version alert, which might be due to a compatibility issue between the OpenSSL version used and the TLS version supported by the server. If this is not causing any problems with the connection, it might be negligible.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 09:55 AM

No. It can be a bit misleading but it shows that TLS isn't properly configured on this port. With TLS you should have gotten a server certificate and all the gory encryption protocols details.

Also as you noticed yourself in the other comment - you can properly call curl requesting a simple non-encrypted http:// resource. Since Splunk doesn't serve both TLS-enabled and not-enabled services on the same port, it means you simply have to configure it.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-17-2024 12:22 AM

Hi team,

Thank you for your support. The problem was solved when I changed the command by typing hostname instead of IP.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 06:48 AM

Hi, 

First of all, thank you for your response, I am sharing the outputs I got when I tried using HTTP and HTTPS below. It may be due to the SSL setting of the Http collector, but I think there will be other logs affected.

XXX.XXX@XXX-XXX-XXX ~ % curl -kv http://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
> POST /services/collector/raw HTTP/1.1
> Host: 1.1.1.1:8088
> User-Agent: curl/8.1.2
> Accept: */*
> Authorization: Splunk XXX-XXX-XXX-XXX-XXX
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jan 2024 14:31:55 GMT
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 27
< Vary: Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
* Connection #0 to host 1.1.1.1 left intact
{"text":"Success","code":0}%

 

 

 

 


XXX.XXX@XXX-XXX-XXX ~ % curl -kv https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 06:06 AM

btluynk_0-1705413996079.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2024 06:18 AM

You seem to be specifying that you want to use SSL (https) but you don't appear to be providing any certificates etc. Have you tried using http instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top