Logpush
What happens if my cloud storage destination is temporarily unavailable?
Can I adjust how often logs are pushed?
My job was accidentally turned off, and I did not receive my logs for a certain time period. Can they still be pushed to me?
I have reconfigured the job to a new destination, but why am I still receiving the logs at the old destination?
If I add new fields to an existing Logpush job, how long will it take for the change to become effective?
Why am I receiving a validating destination error while setting up a Splunk job?
You could be seeing this error for multiple reasons:
- The Splunk endpoint URL is not correct. Cloudflare only supports Splunk HEC raw endpoint over HTTPS.
- The Splunk authentication token is not correct. Be sure to URL-encode the token. For example, use
%20
for a space. - The certificate for Splunk Server is not properly configured. Certificates generated by Splunk/third-party certificates should have the Common Name field in the certificate match the Splunk server’s domain name. Otherwise, you may see errors like:
x509: certificate is valid for SplunkServerDefaultCert, not <YOUR_INSTANCE>.splunkcloud.com.
What is the insecure-skip-verify parameter in Splunk jobs?
true
, makes an insecure connection to Splunk. Setting this value to true
is equivalent to using the -k
option with curl
as shown in Splunk examples and is not recommended. Cloudflare highly recommends setting this flag to false
when using the insecure-skip-verify
parameter. Why do we have the insecure-skip-verify parameter in Splunk jobs, if it is not recommended?
Certificates generated by Splunk/third-party certificates should have the Common Name field in the certificate match the Splunk server’s domain name. Otherwise you may see errors like: x509: certificate is valid for SplunkServerDefaultCert, not <YOUR_INSTANCE>.splunkcloud.com.
This happens especially with the default certificates generated by Splunk on startup. Pushes will never succeed unless the certificates are fixed.
The proper way to resolve the issue is to fix the certificates. This flag is only here for those rare scenarios when it is not possible to have access or permissions to fix the certificates, like with the Splunk cloud instances, which do not allow changing Splunk server configurations.
How can I verify that my Splunk HEC is working correctly before setting up a job?
Ensure that you can publish events to your Splunk instance through curl
without the -k
flag and with the insecure-skip-verify parameter set to false
, as in the following example:
curl "https://<SPLUNK_ENDPOINT_URL>?channel=<SPLUNK_CHANNEL_ID>&insecure-skip-verify=<INSECURE_SKIP_VERIFY>&sourcetype=<SOURCE_TYPE>" \ -H "Authorization: Splunk <SPLUNK_AUTH_TOKEN>" \ -d '{"BotScore":99,"BotScoreSrc":"Machine Learning","CacheCacheStatus":"miss","CacheResponseBytes":2478}'
{"text":"Success","code":0}
Can I use any HEC network port in the Splunk destination conf?
:443
or :8088
. Does Logpush integrate with the Cloudflare Splunk App?
cloudflare:json
source type, you can use the Cloudflare Splunk App. How can I upgrade my Logpush job from v1 to v2?
Simply updating a Logpush job does not push the job from v1 to v2. To upgrade a job to v2, you must use the API. You will need to use the logstream
parameter and set it to true:
$ curl -sX PUT https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logpush/jobs/<JOB_ID> \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <API_KEY>" \
-d '{"logstream":true}'