Solved: Is there a way to configure HEC to receive both HT...

mettomm · ‎02-22-2022

Hi there all.
I am in a bit of a catch 22. I have a process that cannot send data over HTTPS data because the HEC is using a self-signed certificate and the process I am using will not allow that. However, I cannot send HTTP because the HEC is set for HTTPS input and so is getting rejected by the Splunk HEC.

Is there a way to have the HEC collect BOTH HTTP and HTTPS and set the requirement based on the input?

Thanks

mettomm · ‎02-28-2022

Thanks for the information and the confirmation.

We are looking at a second Heavy Forwarder with HEC set to receive HTTP.

View solution in original post

mettomm · ‎02-28-2022

Thanks for the information and the confirmation.

We are looking at a second Heavy Forwarder with HEC set to receive HTTP.

mettomm · ‎02-22-2022

Thanks.
That was my thoughts as well. However, I know that there are ways to "tweak" inputs in Splunk and was just wanting to make sure that there was no other way to accomplish this.

I will let this question set for a few days and see if there are other thoughts.

Thanks

isoutamo · ‎02-22-2022

At least some LBs (like F5) can listen both http and https and do a redirect to wanted port. That way you can use both on same address before real HEC input and use only one protocol between LB/VIP and HEC-listener(s).

somesoni2 · ‎02-22-2022

Splunk HEC is enabled per instance and it can either be HTTP or HTTPS. Having a separate Heavy Fwd for HTTP and HTTS would help here.

Is there a way to configure HEC to receive both HTTP and HTTPS inputs

HTTP Event Collector

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation