All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Website monitoring Web Ping Logs returns a response code of 403.

mnm1987
Explorer
‎01-08-2019 08:52 AM

Installed the website monitoring app on an instance of a Splunk Heavy Forwarder (version 7.1.4).
Followed the application configurations as documented , but notice that the web_ping logs indicate a response code of 403.

proxy_server= title= content_size=3858 total_time=14.33 timed_out=False response_code=403 request_time=14.33 proxy_port=8080 content_md5=1993358fa020a17c6a2f89e06442a8de url= content_sha224=76efe249f30e0f9c23d048853e6de43dd1b24e127f0e3056ea8cea44 proxy_type=http

Any ideas why this could be the case ?

Regards
Mukund M

Tags (1)
0 Karma
Reply

LukeMurphey
Champion
‎03-25-2019 04:05 PM

Version 2.7.4 has a solution for this. The app now includes the ability to be told not to use the proxy server even if you have a proxy server defined using environment variables (often in $SPLUNK_HOME/etc/splunk-launch.conf) but you don't want the Website Monitoring app to use it.

To get around this, define a value for the proxy_ignore setting in website_monitoring.conf. You can also set this using the setup page for the Website Monitoring app. Set the value of the "Server Ignore List" to "*", like this:

alt text

0 Karma
Reply

mnm1987
Explorer
‎03-26-2019 04:59 AM

Hey @LukeMurphey , Thanks for a quick update and release. I am testing this out now.

Question : While configuring inputs we have an option to specify the proxy configs (would these take precedence over the Server Ignore list property) ?

0 Karma
Reply

mnm1987
Explorer
‎03-26-2019 06:09 AM

@LukeMurphey - Unfortunately , still see the 403 errors as before.
Started to work as soon as we disabled the ENV variables defined in the splunk-launch.conf .

0 Karma
Reply

nickhills
Ultra Champion
‎03-25-2019 05:47 AM

Is it possible that its the Proxy asking for auth (and thus generating the 403 because you are not authenticated on the proxy) rather than the target website?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

mnm1987
Explorer
‎03-25-2019 06:43 AM

Hmm, there is no auth credentials being passed.
Additionally adding debug statements in the add-on , there are no proxy params being used while issuing the request.

0 Karma
Reply

nickhills
Ultra Champion
‎03-25-2019 09:16 AM

That could explain why you get 403 with the proxy, and 200 without then.

You could try with curl to test:

export https_proxy=https://your.proxy.server:8080
curl google.com -Lvv
If my comment helps, please give it a thumbs up!
0 Karma
Reply

mnm1987
Explorer
‎03-25-2019 05:34 AM

Hello @LukeMurphey ,
I was able to find a way for you to reproduce the issue on your end.

We found the reason why the addon is breaking for certain endpoints.

All instances of our Splunk installation have HTTP_PROXY and HTTPS_PROXY env variables defined under

HTTP_PROXY = XXXXX
HTTPS_PROXY = XXXXX

We had to comment out the above two lines for the add on to work.

The strange issue is that (no proxies are being used by the add-on when making the HTTP request) - we verified this by logging the proxy parameters when the
request is being made.

This is just a hack and we would not want to disable the global proxy confs (as there might be other addons that could break as a result of this)

So basically to reproduce the bug , all that would be needed is to add Proxy setting in the "/opt/splunk/etc/splunk-launch.conf" file.

Regards
Mukund M

0 Karma
Reply

LukeMurphey
Champion
‎03-25-2019 09:02 AM

Oh awesome! Thank you so much for tracking this down.

I wrote up a bug and play to fix this soon: https://lukemurphey.net/issues/2373

0 Karma
Reply

LukeMurphey
Champion
‎01-08-2019 09:25 AM

The site might require authentication. An HTTP 403 response usually indicates that access to the website was denied due to authentication not succeeding.

I'm willing to try to reproduce the problem on my end if the website is publicly available and you provide the URL.

0 Karma
Reply

mnm1987
Explorer
‎01-08-2019 09:43 AM

Thanks for the quick response Luke, unfortunately this is an internal URL , which would make it difficult to reproduce.

Interestingly - I can curl from the Heavy Forwarder box directly to the URL without needing a Proxy, and the response returned is 200.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...