Installation

Turning _off_ https for HEC: What do I need to do to make HEC use http, not https?

dstromberg
Path Finder


Hello.

I'm seeing a lot of articles in web searches about turning on https for HEC, but approximately zilch on turning it off.

I did find:

Whether the HTTP Event Collector server protocol is HTTP or HTTPS. 1 indicates HTTPS is enabled; 0 indicates HTTP. The default value is 1. HTTP Event Collector shares SSL settings with the Splunk Enterprise instance and can't have enableSSL settings that differ from the settings on the Splunk Enterprise instance.

 

We need HEC to run without TLS, and can live with the Web UI not having TLS too if that'll help with HEC.

But if I toss:

[http]
disabled = 0
enableSSL = 0

...into /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf and restart splunk, then HEC continues to demand https, and /opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf is rewritten automatically to:

[http]
disabled = 0
enableSSL = 1

What do I need to do to make HEC use http, not https?

(We realize that https is more secure.  For our production splunk we'll use https, but for our team's development environments it just makes more sense to use http.  I've not discussed why, but I suspect https is proxied somehow)

 Thanks!

Labels (1)
Tags (2)
0 Karma
1 Solution

dstromberg
Path Finder

 

So a simple "docker stop <container>" followed by a simple "docker start <samecontainer>" does not show the problem.

It turns out there's something in a wrapper script someone else in my team wrote, that's doing this.  Or maybe docker-compose is.

Thanks!

 

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you sure your settings aren't being overwritten by centrally pushed config? If this is a HF or standalone indexer, check your deployment servet, if this is a clustered indexer, check the master node.

0 Karma

dstromberg
Path Finder

I'm not familiar with the terminology "heavy forwarder" and "standalone indexer", and found the latter difficult to google for a definition of.

But what I have is a single Splunk running inside a docker container started using docker-compose like so:

splunk:

image: ${SPLUNK_IMAGE:-splunk/splunk:latest}
container_name: splunk
hostname: splunk
environment:

- SPLUNK_START_ARGS=--accept-license
- SPLUNK_HEC_TOKEN=really-long-token-thingie
# the password for the "admin" user
- SPLUNK_PASSWORD=splunk-password-goes-here

ports:

- 8000:8000

volumes:

- ./splunk-files/etc/splunk-launch.conf:/opt/splunk/etc/splunk-launch.conf
- ./splunk-files/etc-system-local/indexes.conf:/opt/splunk/etc/system/local/indexes.conf
- ./splunk-files/opt-splunk-etc-apps-splunk_httpinput-local/:/opt/splunk/etc/apps/splunk_httpinput/local/
- ./splunk-files/paths:/paths

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

As you are using docker with some centralized configurations probably explain this. If I understood correctly this is happening when you are launching a new environment (or have refreshed configurations) e.g. from git? But when you have changed that setting on local docker instance and restart it, everything is working. I suppose that your configuration store has that https (for production) set on and it then updates your configuration before you are launching docker instance.

 I think that the easiest way to fix this is add a new developer release of those configurations and use those for dev docker environments.

r. Ismo

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

this sounds weird. I just test this with test instance and It works as expected.

What you will gotten with next command:

splunk btool inputs list http --debug

 Are you sure that you haven't any additional security scripts/procedures which switch this setting on boot or some regular interval? How you have changed this setting (via GUI or editing file)?

r. Ismo

0 Karma

dstromberg
Path Finder

 

So a simple "docker stop <container>" followed by a simple "docker start <samecontainer>" does not show the problem.

It turns out there's something in a wrapper script someone else in my team wrote, that's doing this.  Or maybe docker-compose is.

Thanks!

 

0 Karma

dstromberg
Path Finder

 

Using a default.yml got me past this hurdle.

Thanks folks.

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...