I configured my logstash.conf file properly in terms of URL and Authorization token however It's still not sending logs and giving me an http request failure like it's not able to communicate. I came to the conclusion that it might've been a certificate issue because when I use
Invoke-WebRequest -Uri "https://127.0.0.1:8088/services/collector" `
>> -Headers @{"Authorization"="Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"} `
>> -Method Post `
>> -Body '{"event": "test event", "sourcetype": "json"}'
In powershell it sends the request and I get this back:
StatusCode : 200
StatusDescription : OK
Content : {"text":"Success","code":0}
RawContent : HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
Vary: Authorization
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Content-Length: 27
Content-Type: application/json; charset=UTF-8
Date: Sun...
Forms : {}
Headers : {[X-Content-Type-Options, nosniff], [Vary, Authorization], [Connection, Keep-Alive],
[X-Frame-Options, SAMEORIGIN]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 27
BUT only after I used
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
Because before that I was still getting errors. I don't know how to replicate this in the config file tho since I used ssl_certificate_verification => false
and it still doesn't work
Here's my config:
input {
beats {
port => 5044
}
}
output {
http {
url => "https://127.0.0.1:8088/services/collector"
http_method => "post"
format => "json"
headers => {
"Authorization" => "Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"
ssl => true
ssl_certificate_verification => false
}
}
}