So after spending the better part of the last 60 days trying to get the Zoom add-on to work, here's what we've learned. We could not get the Zoom add-on to work, we had to use http event collection which a Splunk tech linked us to: https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-webhooks-with-the-http-event-collector.html That got us onto the right track but then we realized that it appears Zoom won't accept a Splunk self-signed cert, so we got our security team to get us some signed certs and added the stanzas "ServerCert=*your_cert*" and "privKeyPath=*Your key*" to the /etc/apps/splunk_httpinput/local/inputs.conf and we were almost there. HEC also uses a token which Zoom doesn't know what to do with, but if you read the article above, you know you also need to add the "allowQueryStringAuth=true" stanza to the inputs.conf and include ?token=*the token Splunk HEC generates* in your endpoint and that FINALLY got it to work. So it's use HEC, not Zoom add-on. The zoom endpoint is just configure your event subscriptions and use https://*your public server hostname*/services/collector/raw?token=*the token splunk generates*. Then add your signed certs into your inputs.conf and you should start ingesting data. Hopefully this saves someone 58 or 59 days because this seriously took us forever to finally solve, I'm not kidding when I say it probably took us 60 days to finally work out...
... View more
