NXLog search
Let's talk Start free
Let's talk Start free

nxlog output to Splunk Cloud

Tags:
#1 bdaugustine

I have download an eval copy of nxlog EE, and am trying to send Microsoft DNS logs to my Splunk Cloud instance. I've read thru various documentation, but am getting an error "ERROR SSL certificate verification failed: self signed certificate in certificate chain (err: 19)", which is confusing me, because I am sending this to Splunk Cloud over HEC, which should have proper cert chain, so I'm not sure where it's getting a self-signed cert from. Here is what my config file looks like (not the whole thing, just the points of interest):

<Input dns_analytical> Module im_etw Provider Microsoft-Windows-DNSServer </Input>

<Output splunk_out> Module om_http URL https://http-inputs-xxx.splunkcloud.com/services/collector AddHeader Authorization: Splunk <auth key from Splunk HEC> ... </Output>

<Route splunk> Path dns_analytical => splunk_out </Route>

I could use on my local on-prem heavy forwarder but I would really like to send directly to Splunk Cloud over HEC, since it will minimize some moving parts.

Permalink
#2 MisazivDeactivated Nxlog ✓
#1 bdaugustine
I have download an eval copy of nxlog EE, and am trying to send Microsoft DNS logs to my Splunk Cloud instance. I've read thru various documentation, but am getting an error "ERROR SSL certificate verification failed: self signed certificate in certificate chain (err: 19)", which is confusing me, because I am sending this to Splunk Cloud over HEC, which should have proper cert chain, so I'm not sure where it's getting a self-signed cert from. Here is what my config file looks like (not the whole thing, just the points of interest): <Input dns_analytical> Module im_etw Provider Microsoft-Windows-DNSServer </Input> <Output splunk_out> Module om_http URL https://http-inputs-xxx.splunkcloud.com/services/collector AddHeader Authorization: Splunk <auth key from Splunk HEC> ... </Output> <Route splunk> Path dns_analytical => splunk_out </Route> I could use on my local on-prem heavy forwarder but I would really like to send directly to Splunk Cloud over HEC, since it will minimize some moving parts.

Hi,

Module om_http should contain path to the cert, please check this example:

 <Output http>
  Module om_http
  URL https://server:8080/
  AddHeader Auth-Token: 4ddf1d3c9
  HTTPSCertFile %CERTDIR%/client-cert.pem
  HTTPSCertKeyFile %CERTDIR%/client-key.pem
  HTTPSCAFile %CERTDIR%/ca.pem
  HTTPSAllowUntrusted FALSE
</Output>

Please find more on om_http here: https://nxlog.co/documentation/nxlog-user-guide/om_http.html
Login to see more