My splunk heavy forwarder is at https://host.domain.net:8088/ and if I send a request manually it receives data:-
curl -k "https://host.domain.net:8088/services/collector" -H "Authorization: Splunk 999a99ab-99-a '{"event": "Hello, world! Again", "sourcetype": "manual"}' {"text":"Success","code":0}
However, if I use test data stream provided by AWS my kenisis firehose is reporting:-
2017-12-14T10:47:45.45T+0100D https://host.domain.net:8088 Could not connect to the HEC endpoint. Make sure that the certificate and the host are valid. Splunk.SSLHandshake 1
The SSL certificate is valid (checked with a browser(s)) and is from letsencrypt and there is a password set on the key and the password is correctly being hashed in the /local/inputs.conf
The machine that is running Splunk knows it’s own hostname (although that resolves to the internal IP address).
TCP dump is show connections from the correct source IP (and the security group is open 0/0 for testing)
10:13:08.782870 IP 34.241.197.87.35966 > 1.1.1.20.8088
All IPs, Hostnames and Keys are redacted
Indexer Acknowledgement is enabled (turned off to test manual posting)
Upgraded to 7.0.1
Platform: Ubuntu 16.04
At this point I am stumped, any bright ideas much appreciated
... View more