Logstash not able to send Event to Splunk HTTP Event Collector

I'm trying to use logstash to send data directly to an http event collector (HEC). The HEC collector accepts the following correctly.
curl -k https://10.8.71.164:8088/services/collector/raw -H "Authorization: Splunk a3709e9b-8443-4ac5-932b-xxxxxxxxxxxx" -d '{"event": "hello world"}'
{"text":"Success","code":0}

As well as I have configure output pipeline correctly like--->

output {
            http {
                    format => "json"
                    content_type => "application/json"
                    http_method => "post"
                    url => "https://xxx.org:8088/services/collector/raw"
                    cacert => "/****valid***cert_ca.pem"
                    headers => ['Authorization', 'Splunk a3709e9b-8443-4ac5-932b-xxxxxxxxxxxx']
            }
    }

But still data not able to reached at splunk HEC meanwhile when I send through curl data reached on splunk HEC...

so should logstash support to send data on Splunk HEC ?

Anyone please assist on it we are stuck on it....Thanks in advance

Have you verified that Logstash is even trying to send anything to Splunk? Are there any clues in Logstash's log file?

Hi @magnusbaeck,

I have seen some error in logstash log----->

[34892][2019-10-11T01:02:27,329][ERROR][logstash.outputs.http ] [HTTP Output Failure] Could not fetch URL {:url=>"https://10.8.71.164:8088/services/collector/raw", :method=>:post, :body=>"{"offset":160807523,"@version":"1","source":"/opt/sdf/log/af02_alarm_log.10102019","fileset":{"module":"bsf","name":"af02"},"prospector":{"type":"log"},"event_type":"af02","ALARM_TYPE":"0002","tags":["beats_input_codec_plain_applied"],"newTimestamp":"10102019 23:32:28","host":{"name":"vbsfda01dq001"},"ALARM_OWNER":"logstash ","ALARM_SEVERITY":"2","ALARM_COUNT":"1","@timestamp":"2019-10-11T06:32:28.000Z","beat":{"hostname":"vbsfda01dq001","version":"6.4.3","name":"vbsfda01dq001"},"input":{"type":"log"},"ALARM_ID":"9999","ALARM_MESSAGE":"[2019-10-10T23:32:28,541][DEBUG][logstash.outputs.elasticsearch] config LogStash::Outputs::ElasticSearch/@hosts = [//127.0.0.1:9200]\n","time":1.570775548E9}", :headers=>{"Authorization"=>"Splunk a3709e9b-8443-4ac5-932b-47112409702f", "Content-Type"=>"application/json"}, :message=>"Host name '10.8.71.164' does not match the certificate subject provided by the peer (O=SplunkUser, CN=SplunkServerDefaultCert)", :class=>"Manticore::UnknownException", :backtrace=>nil, :will_retry=>false}

But curl -k working fine---->

curl -k https://10.8.71.164:8088/services/collector/raw -H "Authorization: Splunk a3709e9b-8443-4ac5-932b-47112409702f" -d '{"event": "hello world"}'

You are using 'curl -k', which disables certificate verification. The http output is getting a certificate verification error:

"Host name '10.8.71.164' does not match the certificate subject provided by the peer (O=SplunkUser, CN=SplunkServerDefaultCert)"

Use a matching certificate.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.