Hello.
I'm seeing a lot of articles in web searches about turning on https for HEC, but approximately zilch on turning it off.
I did find:
We need HEC to run without TLS, and can live with the Web UI not having TLS too if that'll help with HEC.
But if I toss:
[http]
disabled = 0
enableSSL = 0
...into /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf and restart splunk, then HEC continues to demand https, and /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf is rewritten automatically to:
[http]
disabled = 0
enableSSL = 1
What do I need to do to make HEC use http, not https?
(We realize that https is more secure. For our production splunk we'll use https, but for our team's development environments it just makes more sense to use http. I've not discussed why, but I suspect https is proxied somehow)
Thanks!
So a simple "docker stop <container>" followed by a simple "docker start <samecontainer>" does not show the problem.
It turns out there's something in a wrapper script someone else in my team wrote, that's doing this. Or maybe docker-compose is.
Thanks!
Are you sure your settings aren't being overwritten by centrally pushed config? If this is a HF or standalone indexer, check your deployment servet, if this is a clustered indexer, check the master node.
I'm not familiar with the terminology "heavy forwarder" and "standalone indexer", and found the latter difficult to google for a definition of.
But what I have is a single Splunk running inside a docker container started using docker-compose like so:
splunk:
image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
container_name: splunk
hostname: splunk
environment:
- SPLUNK_START_ARGS=--accept-license
- SPLUNK_HEC_TOKEN=really-long-token-thingie
# the password for the "admin" user
- SPLUNK_PASSWORD=splunk-password-goes-here
ports:
- 8000:8000
volumes:
- ./splunk-files/etc/splunk-launch.conf:/opt/splunk/etc/splunk-launch.conf
- ./splunk-files/etc-system-local/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/:/opt/splunk/etc/apps/splunk_httpinput/local/
- ./splunk-files/paths:/paths
As you are using docker with some centralized configurations probably explain this. If I understood correctly this is happening when you are launching a new environment (or have refreshed configurations) e.g. from git? But when you have changed that setting on local docker instance and restart it, everything is working. I suppose that your configuration store has that https (for production) set on and it then updates your configuration before you are launching docker instance.
I think that the easiest way to fix this is add a new developer release of those configurations and use those for dev docker environments.
r. Ismo
Hi
this sounds weird. I just test this with test instance and It works as expected.
What you will gotten with next command:
splunk btool inputs list http --debug
Are you sure that you haven't any additional security scripts/procedures which switch this setting on boot or some regular interval? How you have changed this setting (via GUI or editing file)?
r. Ismo
So a simple "docker stop <container>" followed by a simple "docker start <samecontainer>" does not show the problem.
It turns out there's something in a wrapper script someone else in my team wrote, that's doing this. Or maybe docker-compose is.
Thanks!
Using a default.yml got me past this hurdle.
Thanks folks.