codrinse
commented
4 hours ago I think this is related with tls verification, which is enabled for https connection. I see TLS certificate options for other output destinations but none for Splunk HEC, how can I trust the cert of the splunk server in this case ?
mosajjal
Hello,
I am trying to configure DNS Monster to forward logs via splunk hec output option. Traffic and token are both alright as the logs arrive in splunk using curl -k https://172.29.10.63:8088/services/collector -H 'Authorization: Splunk token' -d '{"event": "Log message here"}' but when I start the service I get the following error no matter if I configure the endpoint as https://172.29.10.63:8088/services/collector or https://172.29.10.63:8088. Error message is not that suggestive and I don't understand what is wrong.
dnsmonster[16570]: time="2024-11-05T15:52:15+01:00" level=info msg="Filter: ((ip and (ip[9] == 6 or ip[9] == 17)) or (ip6 and (ip6[6] == 17 or ip6[6] == 6 or ip6[6] == 44)))" dnsmonster[16570]: time="2024-11-05T15:52:15+01:00" level=info msg="Waiting for packets" dnsmonster[16570]: time="2024-11-05T15:52:20+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:20+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: time="2024-11-05T15:52:20+01:00" level=warning msg="new splunk endpoint https://172.29.10.63:8088/services/collector" dnsmonster[16570]: time="2024-11-05T15:52:20+01:00" level=warning msg="new splunk connection" dnsmonster[16570]: time="2024-11-05T15:52:21+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:21+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: time="2024-11-05T15:52:22+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:22+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: time="2024-11-05T15:52:23+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:23+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: time="2024-11-05T15:52:24+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:24+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: 2024-11-05T15:52:25+01:00 metrics: {"packetLossPercent":{"value":0},"packetsCaptured":{"value":150},"packetsDropped":{"value":0},"packetsDuplicate":{"count":0},"packetsOverRatio":{"count":0},"splunkFailed":{"count":3547}} dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=warning msg="Splunk Connection not found" dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=info msg="ipv4 flushed: 0, closed: 0" dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=info msg="ipv6 flushed: 0, closed: 0" dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=warning msg="Connection is unhealthy" dnsmonster[16570]: time="2024-11-05T15:52:25+01:00" level=warning msg="new splunk connection" dnsmonster[16570]: time="2024-11-05T15:52:26+01:00" level=warning msg="No more healthy HEC connections left" dnsmonster[16570]: time="2024-11-05T15:52:26+01:00" level=warning msg="Splunk Connection not found"