https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596318#M11508 <P><BR />Hello.</P> <P>I'm seeing a <STRONG>lot</STRONG> of articles in web searches about turning <STRONG>on</STRONG> https for HEC, but approximately zilch on turning it off.</P> <P>I did find:</P> <DIV><SPAN>Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS is enabled; 0 indicates HTTP. The default value is 1. HTTP Event Collector shares SSL settings with the Splunk Enterprise instance and can't have&nbsp;</SPAN>enableSSL<SPAN>&nbsp;settings that differ from the settings on the Splunk Enterprise instance.</SPAN></DIV> <P>&nbsp;</P> <P>We need HEC to run without TLS, and can live with the Web UI not having TLS too if that'll help with HEC.</P> <P>But if I toss:</P> <P class="lia-indent-padding-left-30px">[http]<BR />disabled = 0<BR />enableSSL = 0</P> <P>...into /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf and restart splunk, then HEC continues to demand https, and /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf is rewritten automatically to:</P> <P class="lia-indent-padding-left-30px">[http]<BR />disabled = 0<BR />enableSSL = 1</P> <P>What do I need to do to make HEC use http, not https?</P> <P><SPAN>(We realize that https is more secure.&nbsp; For our production splunk we'll use https, but for our team's development environments it just makes more sense to use http.&nbsp; I've not discussed why, but I suspect https is proxied somehow)</SPAN></P> <P>&nbsp;Thanks!</P> Wed, 04 May 2022 15:43:23 GMT dstromberg 2022-05-04T15:43:23Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596318#M11508 <P><BR />Hello.</P> <P>I'm seeing a <STRONG>lot</STRONG> of articles in web searches about turning <STRONG>on</STRONG> https for HEC, but approximately zilch on turning it off.</P> <P>I did find:</P> <DIV><SPAN>Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS is enabled; 0 indicates HTTP. The default value is 1. HTTP Event Collector shares SSL settings with the Splunk Enterprise instance and can't have&nbsp;</SPAN>enableSSL<SPAN>&nbsp;settings that differ from the settings on the Splunk Enterprise instance.</SPAN></DIV> <P>&nbsp;</P> <P>We need HEC to run without TLS, and can live with the Web UI not having TLS too if that'll help with HEC.</P> <P>But if I toss:</P> <P class="lia-indent-padding-left-30px">[http]<BR />disabled = 0<BR />enableSSL = 0</P> <P>...into /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf and restart splunk, then HEC continues to demand https, and /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf is rewritten automatically to:</P> <P class="lia-indent-padding-left-30px">[http]<BR />disabled = 0<BR />enableSSL = 1</P> <P>What do I need to do to make HEC use http, not https?</P> <P><SPAN>(We realize that https is more secure.&nbsp; For our production splunk we'll use https, but for our team's development environments it just makes more sense to use http.&nbsp; I've not discussed why, but I suspect https is proxied somehow)</SPAN></P> <P>&nbsp;Thanks!</P> Wed, 04 May 2022 15:43:23 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596318#M11508 dstromberg 2022-05-04T15:43:23Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596339#M11509 <P>Hi</P><P>this sounds weird. I just test this with test instance and It works as expected.</P><P>What you will gotten with next command:</P><LI-CODE lang="markup">splunk btool inputs list http --debug</LI-CODE><P>&nbsp;Are you sure that you haven't any additional security scripts/procedures which switch this setting on boot or some regular interval? How you have changed this setting (via GUI or editing file)?</P><P>r. Ismo</P> Wed, 04 May 2022 06:41:48 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596339#M11509 isoutamo 2022-05-04T06:41:48Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596360#M11510 <P>Are you sure your settings aren't being overwritten by centrally pushed config? If this is a HF or standalone indexer, check your deployment servet, if this is a clustered indexer, check the master node.</P> Wed, 04 May 2022 10:50:03 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596360#M11510 PickleRick 2022-05-04T10:50:03Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596396#M11512 <P>I'm not familiar with the terminology "heavy forwarder" and "standalone indexer", and found the latter difficult to google for a definition of.</P><P>But what I have is a single Splunk running inside a docker container started using docker-compose like so:</P><P>splunk:</P><P class="lia-indent-padding-left-30px">image: ${SPLUNK_IMAGE:-splunk/splunk:latest}<BR />container_name: splunk<BR />hostname: splunk<BR />environment:</P><P class="lia-indent-padding-left-60px">- SPLUNK_START_ARGS=--accept-license<BR />- SPLUNK_HEC_TOKEN=really-long-token-thingie<BR /># the password for the "admin" user<BR />- SPLUNK_PASSWORD=splunk-password-goes-here</P><P class="lia-indent-padding-left-30px">ports:</P><P class="lia-indent-padding-left-60px">- 8000:8000</P><P class="lia-indent-padding-left-30px">volumes:</P><P class="lia-indent-padding-left-60px">- ./splunk-files/etc/splunk-launch.conf:/opt/splunk/etc/splunk-launch.conf<BR />- ./splunk-files/etc-system-local/indexes.conf:/opt/splunk/etc/system/local/indexes.conf<BR />- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/:/opt/splunk/etc/apps/splunk_httpinput/local/<BR />- ./splunk-files/paths:/paths</P><P>&nbsp;</P> Wed, 04 May 2022 15:42:25 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596396#M11512 dstromberg 2022-05-04T15:42:25Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596398#M11513 <P>&nbsp;</P><P>So a simple "docker stop &lt;container&gt;" followed by a simple "docker start &lt;samecontainer&gt;" does not show the problem.</P><P>It turns out there's something in a wrapper script someone else in my team wrote, that's doing this.&nbsp; Or maybe docker-compose is.</P><P>Thanks!</P><P>&nbsp;</P> Wed, 04 May 2022 16:01:31 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596398#M11513 dstromberg 2022-05-04T16:01:31Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596412#M11514 <P>As you are using docker with some centralized configurations probably explain this. If I understood correctly this is happening when you are launching a new environment (or have refreshed configurations) e.g. from git? But when you have changed that setting on local docker instance and restart it, everything is working. I suppose that your configuration store has that https (for production) set on and it then updates your configuration before you are launching docker instance.</P><P>&nbsp;I think that the easiest way to fix this is add a new developer release of those configurations and use those for dev docker environments.</P><P>r. Ismo</P> Wed, 04 May 2022 18:42:53 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596412#M11514 isoutamo 2022-05-04T18:42:53Z https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596974#M11537 <P>&nbsp;</P><P>Using a default.yml got me past this hurdle.</P><P>Thanks folks.</P><P>&nbsp;</P> Mon, 09 May 2022 14:00:17 GMT https://community.splunk.com/t5/Installation/Turning-off-https-for-HEC-What-do-I-need-to-do-to-make-HEC-use/m-p/596974#M11537 dstromberg 2022-05-09T14:00:17Z