No, there is not auth mechanism chaining currently supported, whereby you can fallback on another mechanism if the previous ones fail. ... View more

Hello Could you please see if The signing certificate that IdP uses has not expired, if it has please use a new certificate for signing and export new IdpMetadata and reimport that metadata into splunk. If you are using certificate chains, like root CA -> intermediate CA -> (any level of intermediate CAs) -> signing cert. Ensure that under folder $SPLUNK_HOME/etc/auth/idpCerts there is a folder called idpCertChain_1 and there are all the files of intermediate CAs and your signing certificate. Also ensure that under $SPLUNK_HOME/etc/auth/idpCerts there are no pem files directly under it. Let me know how it goes. Also if this does not solve your problem would it be possible to list the files and directories directly under $SPLUNK_HOME/etc/auth/idpCerts . You dont have to paste the contents of the file, just the file names themselves should be sufficient. ... View more

I would recommend a slightly roundabout way of doing this. 1) Configure splunk to use SAML for authentication. 2) Then on your IDP configure as many factors of authentication as you want/your IDP supports. The advantange of this method is that generally speaking IDP's can support multiple factors of auth, and splunk can support idp's so you potentially have a fairly large combination to pick from, you can just delegate the auth part to IDP, once user authenticates with IDP all splunk cares about is the assertion and it will log you in ... View more

Can you paste the relevant error logs you are seeing with confidential information redacted. ... View more

Okay there may be two problems here. (or 3) 1) Base64 decoding for the response is failing for some reason. 2) There could be some cert related issues. 3) Maybe the response is encrypted. To rule out 1 I would recommend, to disable signature verification on splunk's end. you already have a way to figure out 2, in your description. I would also suggest checking if the response is encrypted. We dont support encrypted responses. Let us know how it goes. ... View more

Have you tried using default 'catalina' sourcetype ? https://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Listofpretrainedsourcetypes look for catalina ... View more

You may also want to look at this http://blogs.splunk.com/2016/09/01/configuring-okta-security-assertion-markup-language-saml-single-sign-on-sso-with-splunk-cloud/ it contains info on configuring okta side as well. ... View more

So if you are asking that can you selectively ask for second factor of authentication only for certain roles then the answer is NO. Once you pass whatever authentication mechanism is configured roles are assigned after that step. ... View more

Because we do not know what openssl you might have (or if have it). We also want to use an openssl version that we have tested with and meets our security policies. ... View more

This will not work for splunk self-service, the ECC certs that splunk uses are too strong, this is a known issue. However i would also suggest looking at the following post. http://stackoverflow.com/questions/31107851/how-to-fix-curl-35-cannot-communicate-securely-with-peer-no-common-encryptio Basically you specify the required cipher explicitly as an option. Now which one to specify, you figure this out by checking the ciphers on server. Okay I was able to fix this. So basically you understand that curl does not support even one of the ciphers that server is willing to negotiate. Note that the I was testing this on a ubuntu machine. curl that was present on my ubuntu machine was not using openssl. I think that the default curl that you get by doing sudo apt-get is not built with openssl. So I built curl following this post http://askubuntu.com/questions/764443/how-to-compile-curl-with-ssl-support After that I was able to make curl request. I also have a mac and I was able to make curl request successfully from there. I also had another colleague of mine who was not able to do so from mac. So I think a solution would be to build curl from source specifying an SSL library to build with ( this may depend on the os that you are using). Let me know how it goes. ... View more

Actually role can be any strings in 6.4 and onwards, they dont have to be of form ""cn=splunk_admin,dc=myorg,dc=int" "Domain Users" would still work. You are right about the attribute alias mapping though Alternatively you can look at the claim language generated for "role" in ADFS, copy it out and change the name from "http://..." to just role and add a custom claim. That should also work. ... View more

If you look at docker code for splunk driver: https://github.com/docker/docker/blob/master/daemon/logger/splunk/splunk.go#L569 it appends 'services/collector/event' to the configured url. So when you use browser append that path to splunk host. When you use splunk driver dont append that. ... View more

have you tried removing '/services/collector/event' from splunk-url, atleast that is what the error says? ... View more

Hey mvidal, Could you double check that the token that you have put in outputs.conf is indeed a valid one. That is, it has the same value which you got when you generated on indexer. Some key points to keep in mind. 1) Not all strings are valid tokens, they are GUID's. If it is not a valid token it will not be sent from the forwarder to indexer. 2) Your token stays in plain text because string '8-4-4-4-12' is not a valid guid, since it is not a valid token we dont even look at it from the perpective of using it or encrypting it. Technically you should not have to care about how tokens are generated by indexer. You should treat them as opaque objects from your side. ... View more

Your idpSSOUrl is incorrect. It should not have query parameter in it. Typically it will be something like https://someDomainName/someEndPoint ... View more

@barona, could you please post another question with this specific question, it will be nice if some one from splunk-cloud can authoritatively answer that. There are multiple types of cloud offerings and I am not sure what is the right bucket for this specific request. I can however confirm that we are working on resolving this issue. ... View more

Not sure, youll have to talk to someone in marketing probably. Or post a different question. ... View more

Okay this is not supported for splunk cloud trial, the problem is that splunk cloud trial uses ECDSA, which although being strong, is not very widely supported. Docker fails handshake because of that. What you can do is get a real cloud account and then ask for a different certificate. In addition to golang it also affects .NET. ... View more

Using splunk enterprise for this specific case breaks the chicken->egg cycle, if you can get it to work with a trial splunk enterprise(you have more control over what you want to do), then you can go and use splunk cloud (cause it should work there too). Most of the things that work with splunk enterprise will work with cloud too. I was asking to do this to know if HTTP Event Collector has been configured correctly. Seems like it is cause you can make curl requests and they get indexed. I am going to dig on this more on docker side, i tried with docker version 1.12.1, I think since its a minor version change from what you ran, the issue might be something else. I will comeback once I have an answer. ... View more

What error do you get when you run docker with --debug options ? ... View more

On Splunk enterprise I was able to set docker to data to Splunk, using HTTP Event Collector, running docker with same command as you have specified in the question. Except that I also ensured on splunk Enterprise indexer acknowledgement was disabled. I suspect that there could be two problems that you could be running into. 1) You may not have opened a ticket with Splunk support so that they can do the needful to allow incoming HTTP requests on the port (firewall may be blocking the port). https://answers.splunk.com/answers/432236/i-am-a-splunk-cloud-customer-i-want-to-use-the-htt.html 2) Disable indexer acknowledgement. 3) If you have done 1 and 2 above run docker with --debug flag. and paste the output here. We can take a look at it. 4) I am not sure if Splunk cloud will actually open a support ticket for free trial version (I could be wrong). To solve the chicken and egg problem (having to buy license in order to evaluate if this works for you or not) In that case I would recommend downloading a splunk enterprise version and see if it meets your needs, if it does, buy it and then you can request all the support that you want. ... View more

2) the paths are absolute. value of the absolute path is obtained from step1 ... View more

So I think that there are couple of ways to address this. 1) If your fowarding system is non-splunk: By writing a small proxy. You could spawn a small multi threaded TCP server (in python for ease), and then have some form of authentication of forwarders, as a handshake step after connection is established. After handshake is done you can just blindly start forwarding data to the tcpinput port. 2) If you forwarding system is Splunk based: There is a mechanism of setting up shared secret keys between forwarding an receiving side. You can do this by https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the_indexer_with_the_token ... View more