Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk HEC token is not working

uagraw01
Builder
‎03-29-2024 11:27 AM

As per the below screenshot my server is not giving any health status of hec port 8088. Due to this I am not able to publish anything by using hec token in Splunk for an example :

curl -k "Authorization: Splunk ee6d8a90-4863-4789-9ff1-fda810bee6f2" http://walvau-vidi-1:8000/services/collector/event -d '{"event": "hello world"}'.


Please guide me what will issue, how I investigate further on this.

uagraw01_0-1711736562730.png

default inputs.conf :

[http]
disabled=1
port=8088
enableSSL=1
dedicatedIoThreads=2
maxThreads = 0
maxSockets = 0
useDeploymentServer=0
# ssl settings are similar to mgmt server
sslVersions=*,-ssl2
allowSslCompression=true
allowSslRenegotiation=true
ackIdleCleanup=true


local inputs.conf:

[http]
disabled = 0
enableSSL = 0
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2024 01:11 AM

The usual debugging steps apply:

1) Check if the receiving side is listening on the port (use netstat to list open ports and verify if 8088 is among them).

2) Check the network connectivity from the client

3) Verify firewall rules

4) If needed, run tcpdump/wireshark on the server and see if any traffic from the client is reaching the server at all.

When you can connect to your HEC service port you can start debugging the token settings.

Reply

uagraw01
Builder
‎03-30-2024 02:31 AM

@PickleRick @marnall After further investigation I found that the tcp port 8088 is being used under another app . I removed the config from there and now all are working fine.

Issued screenshot:

uagraw01_0-1711790925217.png

Resolved screenshot:

uagraw01_1-1711790993298.png

Thanks both of your support and suggestions.

0 Karma
Reply

marnall
Builder
‎03-29-2024 02:50 PM

I would not recommend posting valid authorization tokens on the internet, as unscrupulous people or bots could abuse them.

Could you try curl-ing the collector health endpoint using HTTPS instead of http?

If it still does not give a response, it might be a firewall issue. Try connecting to the machine itself using ssh and then doing a curl on localhost, like this:

curl -k https://127.0.0.1:8088/services/collector/health

 

Reply

uagraw01
Builder
‎03-29-2024 07:45 PM

@marnall For your information I already tried with https before posting this to Splunk answers and for your information on windows server is using telnet instead to SSH. 

Can you please help me to understand the significance why you suggested https ? Because on other server posted command is working fine with “http”

Please provide your more suggestion on this.

0 Karma
Reply

marnall
Builder
‎03-29-2024 11:48 PM

Depending on how your server is configured, it may reject http connections. Are you able to connect to the collector health endpoint on 127.0.0.1 by connecting to the server via telnet and sending the request to localhost?

Reply

uagraw01
Builder
‎03-29-2024 11:54 PM

@marnall I have opened inbound port also 8088 also so I think firewall related issue also not be the concern now. 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...