Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

httpeventcollector doesn't seem to work when hitting 8081[2,3] (index slaves) #3

Open
andycmaj opened this issue Oct 11, 2016 · 3 comments
Open

httpeventcollector doesn't seem to work when hitting 8081[2,3] (index slaves) #3

andycmaj opened this issue Oct 11, 2016 · 3 comments

Comments

@andycmaj
Copy link

turned off ssl and tried to submit an http collector event via curl from inside a cluster-slave docker container:

$ curl -vS http://127.0.0.1:8088/services/collector -H "Authorization: Splunk EF211A51-D6AC-4045-8CD6-F730939AC518" -d '{"event": "hello world"}'
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8088 (#0)
> POST /services/collector HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1:8088
> Accept: */*
> Authorization: Splunk EF211A51-D6AC-4045-8CD6-F730939AC518
> Content-Length: 24
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 24 out of 24 bytes
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
$ curl -kvS https://127.0.0.1:8088/services/collector -H "Authorization: Splunk EF211A51-D6AC-4045-8CD6-F730939AC518" -d '{"event": "hello world"}'
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8088 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* Server certificate:
*    subject: CN=SplunkServerDefaultCert; O=SplunkUser
*    start date: 2016-10-11 01:54:32 GMT
*    expire date: 2019-10-11 01:54:32 GMT
*    issuer: C=US; ST=CA; L=San Francisco; O=Splunk; CN=SplunkCommonCA; [email protected]
*    SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST /services/collector HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 127.0.0.1:8088
> Accept: */*
> Authorization: Splunk EF211A51-D6AC-4045-8CD6-F730939AC518
> Content-Length: 24
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 24 out of 24 bytes
< HTTP/1.1 403 Forbidden
< Date: Tue, 11 Oct 2016 02:02:52 GMT
< Content-Type: application/json; charset=UTF-8
< X-Content-Type-Options: nosniff
< Content-Length: 33
< Vary: Authorization
< Connection: Keep-Alive
< X-Frame-Options: SAMEORIGIN
* Server Splunkd is not blacklisted
< Server: Splunkd
<
* Connection #0 to host 127.0.0.1 left intact
{"text":"Invalid token","code":4}

my cluster master config changes:

diff --git a/examples/docker/cluster-master.env_file b/examples/docker/cluster-master.env_file
index 17a7600..1017cfd 100644
--- a/examples/docker/cluster-master.env_file
+++ b/examples/docker/cluster-master.env_file
@@ -3,12 +3,6 @@ SPLUNK_BEFORE_START_CMD_1=version $SPLUNK_START_ARGS
 SPLUNK_BEFORE_START_CMD_2=cmd python /opt/splunk/bin/splunk_setup.py --configure
 SPLUNK_ADD_1=role service_discovery_role -auth admin:changeme
 SPLUNK_ADD_2=user service_discovery_user -password service_discovery_password -role service_discovery_role -auth admin:changeme
-SPLUNK_CMD_1=cmd python /opt/splunk/bin/splunk_setup.py --wait-splunk 'https://shc-member-01:8089' '(shc_member|shc_captain)'
-SPLUNK_CMD_2=cmd python /opt/splunk/bin/splunk_setup.py --wait-splunk 'https://shc-member-02:8089' '(shc_member|shc_captain)'
-SPLUNK_CMD_3=cmd python /opt/splunk/bin/splunk_setup.py --wait-splunk 'https://shc-member-03:8089' '(shc_member|shc_captain)'
-SPLUNK_CMD_4=add search-server shc-member-01:8089 -remoteUsername admin -remotePassword changed -auth admin:changeme
-SPLUNK_CMD_5=add search-server shc-member-02:8089 -remoteUsername admin -remotePassword changed -auth admin:changeme
-SPLUNK_CMD_6=add search-server shc-member-03:8089 -remoteUsername admin -remotePassword changed -auth admin:changeme
 SPLUNK_CMD_7=status
 SPLUNK_HEALTHCHECK_SPLUNKD=https://127.0.0.1:8089
 SPLUNK_HEALTHCHECK_SPLUNKWEB=http://127.0.0.1:8000
@@ -33,9 +27,6 @@ CONF__server__clustering__replication_factor=3
 CONF__server__clustering__search_factor=2
 CONF__server__deployment__pass4SymmKey=deployment-changeme
 CONF__server__indexer_discovery__pass4SymmKey=indexdiscovery-changeme
-CONF__server__shclustering__id=776D2949-B2DA-405E-96B3-B6688C87AB7D
-CONF__server__shclustering__pass4SymmKey=shclustering-changeme
-CONF__server__shclustering__shcluster_label=shcluster
 CONF__serverclass__global__crossServerChecksum=true
 CONF__serverclass__serverClass:data-collector-hec:app:splunk_httpinput__restartIfNeeded=true
 CONF__serverclass__serverClass:data-collector-hec__whitelist.0=data-collector-hec
@@ -51,11 +42,10 @@ CONF__etc/deployment-apps/splunk_httpinput__inputs__http__dedicatedIoThreads=2
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__maxThreads=0
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__allowSslRenegotiation=true
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__disabled=false
-CONF__etc/deployment-apps/splunk_httpinput__inputs__http__useDeploymentServer=false
+CONF__etc/deployment-apps/splunk_httpinput__inputs__http__useDeploymentServer=true
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__port=8088
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__allowSslCompression=true
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__sslVersions=*,-ssl2
-CONF__etc/deployment-apps/splunk_httpinput__inputs__http__enableSSL=true
+CONF__etc/deployment-apps/splunk_httpinput__inputs__http__enableSSL=false
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http__maxSockets=0
 CONF__etc/deployment-apps/splunk_httpinput__inputs__http://default__token=EF211A51-D6AC-4045-8CD6-F730939AC518
-CONF__etc/deployment-apps/splunk_httpinput__inputs__http://default__disabled=False

by the way, this change:

-CONF__etc/deployment-apps/splunk_httpinput__inputs__http__useDeploymentServer=false
+CONF__etc/deployment-apps/splunk_httpinput__inputs__http__useDeploymentServer=true

was needed to get the httpinput config to actually propagate to the cluster slaves
@outcoldman
Copy link
Owner

@andycmaj You should not use useDeploymentServer=true in deployment-apps as this is what will be deployed on Indexers, and you don't need this behavior on indexers.

Just try to deploy everything for the first time. Go to the cluster master, to the page forwarders management and wait when all indexes will be listed in deployment clients. You can also see when they will download the bundles.

I have not tested HEC for a while, but I believe I have not changed anything which could break it.

@andycmaj
Copy link
Author

will try

@andycmaj
Copy link
Author

i ended up having to actually add the input and token to the slave CONF. didn't seem to propagate via deployment-apps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andycmaj @outcoldman