Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sutom
sutom
Explorer
Member since:
03-23-2021
09-15-2021
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-23-2021 |
Activity Feed
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-31-2021 12:00 AM
- Tagged Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-27-2021 12:01 PM
- Tagged Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-27-2021 12:01 PM
- Tagged Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-27-2021 12:01 PM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-27-2021 11:58 AM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-26-2021 12:06 PM
- Tagged Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-26-2021 12:06 PM
- Tagged Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-26-2021 12:06 PM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-17-2021 09:38 AM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-17-2021 02:15 AM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 11:08 AM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 10:39 AM
- Posted Re: Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 10:02 AM
- Posted Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 06:29 AM
- Tagged Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 06:29 AM
- Tagged Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 06:29 AM
- Tagged Failed to send log with syslog - syslog-ng[1]: curl: error sending HTTP request - 'Couldn\'t connect to server' on Getting Data In. 08-16-2021 06:29 AM
- Posted Possible way to receive /consume Email in Splunk and interpret them as an event on Getting Data In. 04-01-2021 07:15 AM
- Tagged Possible way to receive /consume Email in Splunk and interpret them as an event on Getting Data In. 04-01-2021 07:15 AM
- Tagged Possible way to receive /consume Email in Splunk and interpret them as an event on Getting Data In. 04-01-2021 07:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-31-2021
12:00 AM
Dear @s2_splunk , Finally I got my SC4S logs on the place, Above error got resolve by setting the below variable- SC4S_DEST_SPLUNK_HEC_TLS_VERIFY = no
... View more
08-27-2021
11:58 AM
Thanks @s2_splunk I did nslookup for my splunkcloud.com hostname and got the same IP address as in my connection timeout? $ nslookup http-inputs-sudhir.splunkcloud.com
Non-authoritative answer:
Server: dns.google
Address: 8.8.8.8
Name: sudhir-indexers-15287165932.xx-xxxxx-xx.elb.amazonaws.com
Addresses: 4.54.253.184
4.54.142.7
Aliases: http-inputs-sudhir.splunkcloud.com Then I set the HTTPS_PROXY = value(HTTPS_PROXY environment variable setting from my host) in env_file of your SC4S container and tried the CURL command in image interactive mode and it got succeed - Thank you. But again I got another issue related to CA certificate- syslog-ng[165]: curl: error sending HTTP request; url='https://http-inputs-sudhir.splunkcloud.com:443/services/collector/event', error='Peer certificate cannot be authenticated with given CA certificates', worker_index='3', driver='d_hec_fmt#0', location='root generator dest_hec:5:5' I have few SSL certificates installed on machine, but note sure whether those are creating problem. Need suggestion, do I need to uninstall my ssl certs from here or need to install ssl root CA on cloud HEC-end point. I am hoping now this will not trouble more as earlier.
... View more
08-26-2021
12:06 PM
Thanks @s2_splunk As you suggested, I tried to run the CURL command in normal mode as well as image interactive mode and it got failed in interactive mode. Normal mode CURL command - [root@hostname ~]# curl -k https://http-inputs-sudhir.splunkcloud.com:443/services/collector -H "Authorization: Splunk Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264" -d '{"event": "hello_world", "sourcetype":"mysourcetype"}'
{"text":"Success","code":0} CURL command in image interactive mode - it's timed out podman exec -it containerid /bin/sh
sh-4.4# curl -k -v https://http-inputs-sudhir.splunkcloud.com:443/services/collector -H "Authorization: Splunk Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264" -d '{"event": "hello_world", "sourcetype":"mycontainer"}'
* Trying 4.54.253.184...
* TCP_NODELAY set
* connect to 4.54.253.184 port 443 failed: Connection timed out
* Trying 4.54.142.7...
* TCP_NODELAY set
^C
sh-4.4# exit Looks like podman is not picking up system-wide proxy settings, Any suggestion here how I can troubleshoot or force podman for system proxy
... View more
08-17-2021
09:38 AM
podman -v podman version 3.0.2-dev
... View more
08-17-2021
02:15 AM
@s2_splunkI have tried the curl command and the output is given above. Yes, we have a proxy configuration on the server. could you please help me with some hits - like how I can identify which proxy configuration affecting podman container.
... View more
08-16-2021
11:08 AM
@s2_splunkyou are right. I have modified the HEC URL. Here is the curl command response - [root@hostname ~]# curl -k https://http-inputs-sudhir.splunkcloud.com:443/services/collector/event -H "Authorization: Splunk Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264" -d '{"event": "hello world"}'
{"text":"Success","code":0}
[root@hostname ~]# Output is success but with script is failing
... View more
08-16-2021
10:39 AM
Thanks for response @s2_splunk I have sensitized the URL- my actual URL is- "https://http-inputs-sudhir.splunkcloud.com:443"
... View more
08-16-2021
10:02 AM
Thanks for the hit @harsmarvania57 As per suggestion I have updated the version and also manage the config according to new version, but again I am getting same kind of error. update env_file. [root@hostname ~]# cat /opt/sc4s/env_file
SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://http-singh-sudhir.splunkcloud.com:443
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
SC4S_DEST_GLOBAL_ALTERNATES=d_hec_debug podman logs SC4S [root@hostname sc4s]# podman logs SC4S
curl: (7) Failed to connect to http-singh-sudhir.splunkcloud.com port 443: Connection timed out
SC4S_ENV_CHECK_HEC: Invalid Splunk HEC URL, invalid token, or other HEC connectivity issue index=main. sourcetype=sc4s:fallback
Startup will continue to prevent data loss if this is a transient failure.
syslog-ng checking config
sc4s version=1.86.4
starting goss
starting syslog-ng
Aug 16 16:07:35.327 hostname syslog-ng[166]: syslog-ng starting up; version='3.32.1'
Aug 16 16:07:36.700 hostname syslog-ng[166]: curl: error sending HTTP request; url='http-singh-sudhir.splunkcloud.com:443/services/collector/event', error='Couldn\'t connect to server', worker_index='2', driver='d_hec_fmt#0', location='root generator dest_hec:5:5'
Aug 16 16:07:36.700 hostname syslog-ng[166]: curl: error sending HTTP request; url='http-singh-sudhir.splunkcloud.com:443/services/collector/event', error='Couldn\'t connect to server', worker_index='3', driver='d_hec_fmt#0', location='root generator dest_hec:5:5'
Aug 16 16:07:36.700 hostname syslog-ng[166]: Server disconnected while preparing messages for sending, trying again; driver='d_hec_fmt#0', location='root generator dest_hec:5:5', worker_index='2', time_reopen='10', batch_size='198'
Aug 16 16:07:36.700 hostname syslog-ng[166]: Server disconnected while preparing messages for sending, trying again; driver='d_hec_fmt#0', location='root generator dest_hec:5:5', worker_index='3', time_reopen='10', batch_size='198' Log from Debug file - [root@hostname sc4s_events]# cat 2021-08-16-hec.log
curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://http-singh-sudhir.splunkcloud.com:443/services/collector/event" -d '{"time":"1629130055.327","sourcetype":"sc4s:events","source":"sc4s","index":"main","host":"sudhir4321","fields":{"sc4s_vendor_product":"sc4s_events","sc4s_syslog_facility":"syslog","sc4s_loghost":"sudhir4321","sc4s_container":"sudhir4321"},"event":"2021-08-16T16:07:35.327+00:00 sudhir4321 syslog-ng 166 - [meta sequenceId=\"1\"] syslog-ng starting up; version='3.32.1'"}'
curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://http-singh-sudhir.splunkcloud.com:443/services/collector/event" -d '{"time":"1629130056.401","sourcetype":"sc4s:events:startup:out","source":"sc4s","index":"main","host":"sudhir4321","fields":{"sc4s_vendor_product":"sc4s_events","sc4s_syslog_facility":"user","sc4s_loghost":"sudhir4321","sc4s_container":"sudhir4321"},"event":"syslog-ng-config: sc4s version=1.86.4"}'
curl -k -u "sc4s HEC debug:$SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN" "https://http-singh-sudhir.splunkcloud.com:443/services/collector/event" -d '{"time":"1629130056.700","sourcetype":"sc4s:events","source":"sc4s","index":"main","host":"sudhir4321","fields":{"sc4s_vendor_product":"sc4s_events","sc4s_syslog_facility":"syslog","sc4s_loghost":"sudhir4321","sc4s_container":"sudhir4321"},"event":"2021-08-16T16:07:36.700+00:00 sudhir4321 syslog-ng 166 - [meta sequenceId=\"3\"] curl: error sending HTTP request; url='https://http-singh-sudhir.splunkcloud.com:443/services/collector/event', error='Couldn\\'t connect to server', worker_index='2', driver='d_hec_fmt#0', location='root generator dest_hec:5:5'"}' What could be the issue now, can you please help me to understand.
... View more
08-16-2021
06:29 AM
I am trying to run the splunk connect syslog via podman, here is the reference links - https://splunk-connect-for-syslog.readthedocs.io/en/latest/gettingstarted/#offline-container-installation https://splunk-connect-for-syslog.readthedocs.io/en/latest/gettingstarted/podman-systemd-general/ My podman container is up and running, all the configuration on place as per doc instructions - But I am facing a issue related to sending logs HTTP request. Below is my configuration file and activity logs. My env_file [root@hostname ~]# cat /opt/sc4s/env_file
SPLUNK_HEC_URL=https://http-singh-sudhir.splunkcloud.com:443
SPLUNK_HEC_TOKEN=Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
SC4S_DEST_SPLUNK_HEC_DEFAULT_DISKBUFF_DIR=/opt/sc4s/storage/volumes Using above config the manual curl command is successful [root@hostname ~]# curl -k https://http-singh-sudhir.splunkcloud.com:443/services/collector/event?channel=Q9Q8G1W5-Z93T-F826-19V1-Q9Q8G1G8264 -H "Authorization: Splunk Z93TSS87-F826-19V1-01W1-Q9Q8G1G8264 " -d '{"event": "hello_world"}'
{"text":"Success","code":0}[root@hostname ~]# ^C But with same config, podman logs SC4S is throwing error [root@hostname ~]# /usr/bin/podman logs SC4S
'/opt/syslog-ng/etc/conf.d/local/context/compliance_meta_by_source.conf.example' -> '/opt/syslog-ng/etc/conf.d/local/context/compliance_meta_by_source.conf'
'/opt/syslog-ng/etc/conf.d/local/context/compliance_meta_by_source.csv.example' -> '/opt/syslog-ng/etc/conf.d/local/context/compliance_meta_by_source.csv'
'/opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv.example' -> '/opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv'
'/opt/syslog-ng/etc/conf.d/local/context/vendor_product_by_source.conf.example' -> '/opt/syslog-ng/etc/conf.d/local/context/vendor_product_by_source.conf'
'/opt/syslog-ng/etc/conf.d/local/context/vendor_product_by_source.csv.example' -> '/opt/syslog-ng/etc/conf.d/local/context/vendor_product_by_source.csv'
'/opt/syslog-ng/etc/local_config/destinations/README.md' -> '/opt/syslog-ng/etc/conf.d/local/config/destinations/README.md'
'/opt/syslog-ng/etc/local_config/filters/README.md' -> '/opt/syslog-ng/etc/conf.d/local/config/filters/README.md'
'/opt/syslog-ng/etc/local_config/filters/example.conf' -> '/opt/syslog-ng/etc/conf.d/local/config/filters/example.conf'
'/opt/syslog-ng/etc/local_config/log_paths/README.md' -> '/opt/syslog-ng/etc/conf.d/local/config/log_paths/README.md'
'/opt/syslog-ng/etc/local_config/log_paths/lp-example.conf.tmpl' -> '/opt/syslog-ng/etc/conf.d/local/config/log_paths/lp-example.conf.tmpl'
'/opt/syslog-ng/etc/local_config/log_paths/lp-example.conf' -> '/opt/syslog-ng/etc/conf.d/local/config/log_paths/lp-example.conf'
'/opt/syslog-ng/etc/local_config/sources/README.md' -> '/opt/syslog-ng/etc/conf.d/local/config/sources/README.md'
syslog-ng checking config
sc4s version=v1.12.0
syslog-ng starting
Aug 16 11:44:12 hostname syslog-ng[1]: syslog-ng starting up; version='3.25.1'
Aug 16 11:44:12 hostname syslog-ng-config: sc4s version=v1.12.0
Aug 16 11:44:12 hostname syslog-ng[1]: curl: error sending HTTP request; url='https://http-singh-sudhir.splunkcloud.com:443/services/collector/event', error='Couldn\'t connect to server', worker_index='1', driver='d_hec_internal#0', location='/opt/syslog-ng/etc/conf.d/destinations/splunk_hec_internal.conf:2:5'
Aug 16 11:44:12 hostname syslog-ng[1]: Server disconnected while preparing messages for sending, trying again; driver='d_hec_internal#0', location='/opt/syslog-ng/etc/conf.d/destinations/splunk_hec_internal.conf:2:5', worker_index='1', time_reopen='10', batch_size='1'
Aug 16 11:44:12 hostname syslog-ng[1]: curl: error sending HTTP request; url='https://http-singh-sudhir.splunkcloud.com:443/services/collector/event', error='Couldn\'t connect to server', worker_index='0', driver='d_hec_internal#0', location='/opt/syslog-ng/etc/conf.d/destinations/splunk_hec_internal.conf:2:5'
Aug 16 11:44:12 hostname syslog-ng[1]: Server disconnected while preparing messages for sending, trying again; driver='d_hec_internal#0', location='/opt/syslog-ng/etc/conf.d/destinations/splunk_hec_internal.conf:2:5', worker_index='0', time_reopen='10', batch_size='1'
I am not able to understand what is missing here from my side. if is curl fails then it should be in both cases, looking forward to your help. please point out what is wrong with this.
... View more
Labels
04-01-2021
07:15 AM
Hi All, I am searching App/Add-on to consume or receive the Email in Splunk cloud. Here is my use case - I have a 4-email server such as - Gmail, Yahoo, Hotmail, and outlook from where I use to receive the emails very frequently for some use cases. Here I want to onboard these emails in Splunk, OR consume/receive these emails in Splunk and interpret them as an event. I came across some of the APPs - https://splunkbase.splunk.com/app/3200 https://splunkbase.splunk.com/app/1739 But did not figure out which is best for my case. Can anyone please help here to identify the best one for my use-case or any other best possible to achieve this? Thanks.
... View more
03-24-2021
07:09 AM
Thanks @hoaxm3 it worked out, Now I am able to Suppression = src,uri_path,status with three field and getting result as expected.
... View more
03-24-2021
03:45 AM
Hello Everyone, I am new to this place and this is my first query, looking for your help. I have a use-case where I am trying to set an alert and make it dynamic based on the SLP query result, my recipient list is constant. but Alert is not working as I expected. I went through a lot of links and Splunk docs but still, I am in middle. My requirement is to send the alert for every row from the result based on status and src(host IP) but I am receiving an alert only for the first row from the result. Here is the query - index=dummy uri_path
| stats count(eval(status>399)) as Error_Count by uri_path, status,user_name, src | where Error_Count > 0 Result - uri_path status user_name src Error_count /user/new 400 XXX 123.21.321.12 1 /user/show 404 YYY 321.12.32.21 1 My Alert Subject - $result.status$ Error while access API for User $result.user_name$ My Message - $result.status$ Error got observed while access API $result.uri_path$ with user $result.user_name$ on host $result.src$.
For more info please click on below link My alert subject and message is getting update based on the result but I am constantly getting Alert for first row from result - Splunk Alert: 400 Error while access API for User XXX. which is correct for first row Some configuration in alert - Alert type - Crone sachedule for 15 minutes, Cron Expression - */15 * * * * , Expire - 24 hour Trigger alert when - is greater then 0, Trigger - for each result. Throttle - yes Suppress results containing field value - src=$result.src$, Suppress triggering for - 20-minutes Still I am getting alert for first row from result,Not sure what I am missing here to get other rows alerts. If you can see I have suppressed based on src and in result SRC is different for both the rows. so based on this I should get both alerts but I am not. Can anyone please help me to understand this, I want to send the alert based on status and src, if any new status + src combination come in result then it should send the result wether it is on first row in result or sencond row in result. Hope I am able to express my query.
... View more
Labels
- Labels:
-
alert action
-
email
-
throttling
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-15-2021
07:36 AM
|
