Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk input plugin token validation is case-sensitive, the Splunk HEC is not. It should be consistent #9517

Open
lecaros opened this issue Oct 23, 2024 · 0 comments · May be fixed by #9518
Open

Splunk input plugin token validation is case-sensitive, the Splunk HEC is not. It should be consistent #9517

lecaros opened this issue Oct 23, 2024 · 0 comments · May be fixed by #9518
Assignees
@cosmo0920
Milestone
Fluent Bit v3.2.0

Comments

@lecaros
Copy link
Contributor

lecaros commented Oct 23, 2024

Bug Report

Splunk input plugin token validation is case-sensitive, the Splunk HEC is not. It should be consistent.

To Reproduce

  • Steps to reproduce the problem:

Issue reproduction

  • Run the Splunk container with the following command:
docker run -d --rm -p 8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=whatever" -e "SPLUNK_HEC_TOKEN=ftooken" --name splunk splunk/splunk:latest
  • Run the Fluent Bit output plugin with the following config:

pipeline.yml

service:
  http_server: on
pipeline:
  inputs:
    - name: dummy
      dummy: '{"message": "a message"}'
  outputs:
    - name: splunk
      alias: splunk_pccs_standard
      tls: on
      tls.verify: off
      host: <YOUR_SPLUNK_IP>
      port: 8088
      splunk_token: ftooken
      match: '*'

The output will have no issues and will send the logs to the Splunk container.

Now change the token in the pipeline.yml to Ftooken (changed the first letter to
uppercase) and restart the Fluent Bit output plugin.

The output is just the same, no issues.

Stop the Splunk container and start Fluent Bit with the following configuration:

fluent-bit.yml

service:
  log_level: debug
pipeline:
  inputs:
    - name: splunk
      splunk_token: 'ftooken'
      port: 8088
  outputs:
    - name: stdout
      match: '*'

Now, disable the tls in the output plugin, revert back the change in the token and restart the Fluent Bit output plugin.

The output in the Fluent Bit input side, will display the received records.

Now change the token in the pipeline.yml to Ftooken as we did before.

The output in the Fluent Bit output side will display the following error:

[2024/10/23 19:01:27] [ warn] [output:splunk:splunk_pccs_standard] http_status=401:
error: unauthorized

The input plugin will display this error:

[2024/10/23 19:01:27] [ warn] [input:splunk:splunk.0] wrong credentials in request headers

Expected behavior

The Splunk input plugin should behave like the Splunk HEC.

Your Environment

  • Version used: 3.1.9

  • Configuration: in the steps to reproduce.

  • Filters and plugins: in_splunk
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cosmo0920 cosmo0920

Labels
None yet
Projects
None yet
Milestone
Fluent Bit v3.2.0
Development

Successfully merging a pull request may close this issue.

in_splunk: splunk token validation must be case-insensitive fluent/fluent-bit
3 participants
@edsiper @cosmo0920 @lecaros