Logstash not able to send Event to Splunk HTTP Event Collector

as50790 · October 11, 2019, 6:11am

I'm trying to use logstash to send data directly to an http event collector (HEC). The HEC collector accepts the following correctly.
curl -k https://10.8.71.164:8088/services/collector/raw -H "Authorization: Splunk a3709e9b-8443-4ac5-932b-xxxxxxxxxxxx" -d '{"event": "hello world"}'
{"text":"Success","code":0}

As well as I have configure output pipeline correctly like--->

output {
            http {
                    format => "json"
                    content_type => "application/json"
                    http_method => "post"
                    url => "https://xxx.org:8088/services/collector/raw"
                    cacert => "/****valid***cert_ca.pem"
                    headers => ['Authorization', 'Splunk a3709e9b-8443-4ac5-932b-xxxxxxxxxxxx']
            }
    }

But still data not able to reached at splunk HEC meanwhile when I send through curl data reached on splunk HEC...

so should logstash support to send data on Splunk HEC ?

as50790 · October 11, 2019, 7:27am

Anyone please assist on it we are stuck on it....Thanks in advance

magnusbaeck · October 11, 2019, 7:54am

Have you verified that Logstash is even trying to send anything to Splunk? Are there any clues in Logstash's log file?

as50790 · October 11, 2019, 8:04am

Hi @magnusbaeck,

I have seen some error in logstash log----->

[34892][2019-10-11T01:02:27,329][ERROR][logstash.outputs.http ] [HTTP Output Failure] Could not fetch URL {:url=>"https://10.8.71.164:8088/services/collector/raw", :method=>:post, :body=>"{"offset":160807523,"@version":"1","source":"/opt/sdf/log/af02_alarm_log.10102019","fileset":{"module":"bsf","name":"af02"},"prospector":{"type":"log"},"event_type":"af02","ALARM_TYPE":"0002","tags":["beats_input_codec_plain_applied"],"newTimestamp":"10102019 23:32:28","host":{"name":"vbsfda01dq001"},"ALARM_OWNER":"logstash ","ALARM_SEVERITY":"2","ALARM_COUNT":"1","@timestamp":"2019-10-11T06:32:28.000Z","beat":{"hostname":"vbsfda01dq001","version":"6.4.3","name":"vbsfda01dq001"},"input":{"type":"log"},"ALARM_ID":"9999","ALARM_MESSAGE":"[2019-10-10T23:32:28,541][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@hosts = [//127.0.0.1:9200]\n","time":1.570775548E9}", :headers=>{"Authorization"=>"Splunk a3709e9b-8443-4ac5-932b-47112409702f", "Content-Type"=>"application/json"}, :message=>"Host name '10.8.71.164' does not match the certificate subject provided by the peer (O=SplunkUser, CN=SplunkServerDefaultCert)", :class=>"Manticore::UnknownException", :backtrace=>nil, :will_retry=>false}

But curl -k working fine---->

curl -k https://10.8.71.164:8088/services/collector/raw -H "Authorization: Splunk a3709e9b-8443-4ac5-932b-47112409702f" -d '{"event": "hello world"}'

Badger · October 11, 2019, 3:24pm

You are using 'curl -k', which disables certificate verification. The http output is getting a certificate verification error:

"Host name '10.8.71.164' does not match the certificate subject provided by the peer (O=SplunkUser, CN=SplunkServerDefaultCert)"

Use a matching certificate.

system · November 8, 2019, 3:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.