Re: Setup SSL for HEC (6.5.2)

JosIJntema · ‎03-26-2017

Hi there,

I have setup my SSL for port 8000. Now I want to setup CORS and SSL for HEC.

I have used Let's Encrypt and have the following files:
cert.pem
fullchain.pem
privkey.pem
chain.pem

In the following folder:

/opt/splunk/etc/auth/analyticsimplementatie

I have the following in my input.conf in directory (/opt/splunk/etc/apps/splunk_httpinput/local)

[http]
disabled = 0
sourcetype = _json
enableSSL = 1

[http://Test]
disabled = 0
index = main
indexes = main
token =

In the documentation I cannot understand what I have to add exactly to the http-stanza.

Thanks so much for the help.

ilyaresh · ‎11-08-2018

That's our set-up
[http] enableSSL = 1 sslPassword = $1$IA1A1A1A1 privKeyPath = /opt/splunk/etc/auth/splunkweb/hec.mydomain.com.key serverCert = /opt/splunk/etc/auth/splunkweb/hec.mydomain.com.pem

ischoenmaker · ‎10-18-2018

Found your question, had the same. Posted a solution here:
answers.splunk.com/answers/462131/securing-http-event-collector.html

gjanders · ‎04-01-2017

Set up and use HTTP Event Collector

Via the GUI:

To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox.

Or inputs.conf

[http] enableSSL = [0|1]
* Whether or not to use SSL for the event collector endpoint server.
* HEC shares SSL settings with the Splunk management server and cannot
have 'enableSSL' set to true when
the Splunk management server has SSL
disabled.
* Defaults to 0 (enabled).

It is on by default...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Setup SSL for HEC (6.5.2)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms