Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to connect Splunk HEC using https

kamal1988
New Member
‎09-20-2019 09:41 PM

Hi
I'm trying to push logs to Splunk using Splunk HTTP appender in Log4j.
If I disable SSL in HTTP event Collector Global Settings, I can push the logs to Splunk successfully whereas if I enable SSL, I cannot see any logs. Is there some configuration missing as part of my log4j ? Please help.

mule:log.splunk.url : http://localhost:8088 --> disabling SSL
mule:log.splunk.url : https://localhost:8088 --> enabling SSL

<SplunkHttp name="splunk" url="${mule:log.splunk.url}" 
                token="${mule:log.splunk.token}" batch_size_count="1" disableCertificateValidation="true" >
             <JSONLayout complete="false" compact="false">
                <KeyValuePair key="timestamp" value="$${date:MM-dd-yyyy}"/>
                <KeyValuePair key="api_name" value="${mule:log.api.name}"/>
                <KeyValuePair key="api_version" value="${mule:log.api.version}"/>
                <KeyValuePair key="api_type" value="${mule:log.api.type}"/>
                <KeyValuePair key="api_domain" value="${sys:domain}"/>
                <KeyValuePair key="api_worker_index" value="${sys:worker.id}"/>
            </JSONLayout> 
        </SplunkHttp>
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-21-2019 05:50 AM

from Splunk docs inputs.conf

enableSSL = [0|1]
* Whether or not the HTTP Event Collector uses SSL.
* HEC shares SSL settings with the Splunk management server and cannot have
  SSL enabled when the Splunk management server has SSL disabled.
* Default: 1 (enabled).

serverCert = 
* The full path to the server certificate PEM format file.
* The same file may also contain a private key.
* The Splunk software automatically generates certificates when it first
  starts.
* You may replace the auto-generated certificate with your own certificate.
* Default: $SPLUNK_HOME/etc/auth/server.pem.

sslPassword = 
* The server certificate password.
* Initially set to a plain-text password.
* Upon first use, Splunk software encrypts and rewrites the password.
* Default: "password".

you have to configure above under stanza [http://] on the Splunk Enterprise where you have enabled HEC.

No point having Splunk internal certificates as sslPassword is known to all. Try to use 3rd party certificates.

refer below if you have any doubts.

https://answers.splunk.com/answers/462131/securing-http-event-collector.html

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

See Splunk Platform & Observability Innovations at Cisco Live EMEA

Hi Splunkers, Learn about what’s next for Splunk Platform at Cisco Live EMEA.  Data silos are a big challenge ...

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...