Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Problem with Curl Request to Splunk Server

btluynk
Loves-to-Learn Lots
‎01-16-2024 05:53 AM

Hi team,

I'm trying to send a curl request from my local machine to a Splunk server, but I'm encountering the following error. Have you come across this error before? I've found similar issues on stackoverflow, but none of the solutions seem to work for me. I thought reaching out here might provide quick support in case anyone has experienced a specific issue related to this. Thank you in advance for your assistance.

aaa.bbb@MyComputer-xxx ~ % curl https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXXX-XXXX-XXXX-XXXX-XXXX" -d '{"event": "cheesecake"}' --insecure

Output:

curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Thanks

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 06:54 AM

OK. Wait a second. Do you even have TLS enabled on this port?

Check output of

openssl s_client -connect your_splunk_ip:8088

for errors as well as check your _internal index for errors regarding your client's IP.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 07:02 AM

Hi team,

In this output, it appears that TLS is enabled based on the following information:

XXX.XXX@XXX-XXX-XXX ~ % openssl s_client -connect 1.1.1.1:8088

CONNECTED(00000003)

140704518969088:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/d9889869-120b-11ee-b796-7a03568b17ac/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 5 bytes and written 294 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.3

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Start Time: 1705416962

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

---

I dont understand but the "Protocol" field indicates TLS version 1.3, and the "Cipher" field would typically show the cipher suite being used. The "Verify return code" of 0 indicates that the certificate verification was successful. However, there is an error related to the TLS protocol version alert, which might be due to a compatibility issue between the OpenSSL version used and the TLS version supported by the server. If this is not causing any problems with the connection, it might be negligible.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-16-2024 09:55 AM

No. It can be a bit misleading but it shows that TLS isn't properly configured on this port. With TLS you should have gotten a server certificate and all the gory encryption protocols details.

Also as you noticed yourself in the other comment - you can properly call curl requesting a simple non-encrypted http:// resource. Since Splunk doesn't serve both TLS-enabled and not-enabled services on the same port, it means you simply have to configure it.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-17-2024 12:22 AM

Hi team,

Thank you for your support. The problem was solved when I changed the command by typing hostname instead of IP.

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 06:48 AM

Hi, 

First of all, thank you for your response, I am sharing the outputs I got when I tried using HTTP and HTTPS below. It may be due to the SSL setting of the Http collector, but I think there will be other logs affected.

XXX.XXX@XXX-XXX-XXX ~ % curl -kv http://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
> POST /services/collector/raw HTTP/1.1
> Host: 1.1.1.1:8088
> User-Agent: curl/8.1.2
> Accept: */*
> Authorization: Splunk XXX-XXX-XXX-XXX-XXX
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 16 Jan 2024 14:31:55 GMT
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 27
< Vary: Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
< Server: Splunkd
<
* Connection #0 to host 1.1.1.1 left intact
{"text":"Success","code":0}%

 

 

 

 


XXX.XXX@XXX-XXX-XXX ~ % curl -kv https://1.1.1.1:8088/services/collector/raw -H "Authorization: Splunk XXX-XXX-XXX-XXX-XXX" -d '{"event": "cheesecake"}' --insecure

* Trying 1.1.1.1:8088...
* Connected to 1.1.1.1 (1.1.1.1) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

0 Karma
Reply

btluynk
Loves-to-Learn Lots
‎01-16-2024 06:06 AM

btluynk_0-1705413996079.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2024 06:18 AM

You seem to be specifying that you want to use SSL (https) but you don't appear to be providing any certificates etc. Have you tried using http instead?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...