I didn’t have any, so I used LetsEncrypt to make some, And, because I used the “express” Node.js webserver, the tutorial I used to create LetsEncrypt certificates on Ubuntu using Certbot for Express is here. If you don’t have certificates signed by a proper CA, you’ll get OpenSSL errors when you go to verify. Next, we need to generate some actual legitimate certificates from a bona-fide CA so that both our HEC endpoint and our Node.js temporary webserver look reasonable to Okta’s Event Hook service. My Splunk server is Ubuntu 18.04, so I followed this tutorial to make sure it was installed, and that the npm package manager was working as well. Now, we have to get a Node.js webserver running to complete the Okta one-time-verification step.įirst, get your Node.js environment working. You can also use curl to send a test event to HEC:Īnd then search for that event in Splunk:Īt this point, you know that your HEC is working, so go back into Global Settings and disable HEC for the time being, and make sure it isn’t listening via the netstat command above. First, you can do a simple netstat command on the Splunk server running HEC: You can test this out and then ensure that HEC is listening on your port in two ways. So just enable it for testing, and then shut it down. WARNING: enabling this too early will mean that HEC will start listening on the port (I chose 8001, and you also need SSL) and then you won’t be able to start your temporary Node.js webserver later on. Then we go to Global Settings where we can enable the input. You also get a token value, that’s gonna be important later when we set up the Event Hook on the Oktaside, so copy it somewhere. We give it a reasonable sourcetype (I chose okta:eventhook:hec) and tell it what Splunk index to put the data into. The magic configuration step is to set “allowQueryStringAuth=true.”įirst, we create a new token under the Data Inputs section of Splunk Settings: A good primer for the steps needed to receive webhooks with HEC are within Luke Netto’s blog post here and this S plunk Answers post. Or, you could do something clever using name resolution, where you point the URL you ultimately use for HEC temporarily to a different host for the verification step, and then point that same URL to the “real” HEC endpoint. Customers running Splunk Cloud will need to run an on-prem heavy forwarder that communicates up to Splunk Cloud in order to do this because you don’t have access to do the Node.js shenanigans I’m going to lay down below. To set up HEC, we first use the GUI in Splunk under Data Inputs, but we’ll need to get into the command line config files before we’re all done.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |