Sending Logs to splunk from logstash

ragmenion · ‎02-28-2020

Hi i am trying to send logs to splunk with HEC using logstash, but configuration is not working. A curl from the server is working but logs arent going through logstaash.

curl -k "https://splunk-hec.test.com:443/services/collector/raw?" \
-H "Authorization: Splunk XXXX" \
-d '{"event": "Hello!", "sourceType": "Test"}'

Logstash output config

http {
http_method => "post"
url => "https://splunk-hec.test.com:443/services/collector/event/1.0"
headers => ['Authorization', 'Splunk XXXXX']
mapping => {
"sourcetype" => "logstash"
}
}

Error

[HTTP Output Failure] Could not fetch URL {:url=>"https//splunk-hec.test.com:443/services/collector/event/1.0", :method=>:post, :body=>"{\"sourcetype\":\"logstash\"}", :headers=>{"Authorization"=>"Splunk XXX", :message=>"connect timed out",

martin_mueller · ‎02-29-2020

Timeouts most commonly are caused by lack of network connectivity, e.g. a firewall dropping your connection.
Assuming you did the curl test on a different machine, run the curl test on the machine that runs fails with logstash, and if curl fails there too then talk to your network team.