Setup SSL for HEC (6.5.2)

JosIJntema · ‎03-26-2017

Hi there,

I have setup my SSL for port 8000. Now I want to setup CORS and SSL for HEC.

I have used Let's Encrypt and have the following files:
cert.pem
fullchain.pem
privkey.pem
chain.pem

In the following folder:

/opt/splunk/etc/auth/analyticsimplementatie

I have the following in my input.conf in directory (/opt/splunk/etc/apps/splunk_httpinput/local)

[http]
disabled = 0
sourcetype = _json
enableSSL = 1

[http://Test]
disabled = 0
index = main
indexes = main
token =

In the documentation I cannot understand what I have to add exactly to the http-stanza.

Thanks so much for the help.

ilyaresh · ‎11-08-2018

That's our set-up
[http] enableSSL = 1 sslPassword = $1$IA1A1A1A1 privKeyPath = /opt/splunk/etc/auth/splunkweb/hec.mydomain.com.key serverCert = /opt/splunk/etc/auth/splunkweb/hec.mydomain.com.pem

ischoenmaker · ‎10-18-2018

Found your question, had the same. Posted a solution here:
answers.splunk.com/answers/462131/securing-http-event-collector.html

gjanders · ‎04-01-2017

Set up and use HTTP Event Collector

Via the GUI:

To have HEC listen and communicate over HTTPS rather than HTTP, click the Enable SSL checkbox.

Or inputs.conf

[http] enableSSL = [0|1]
* Whether or not to use SSL for the event collector endpoint server.
* HEC shares SSL settings with the Splunk management server and cannot
have 'enableSSL' set to true when
the Splunk management server has SSL
disabled.
* Defaults to 0 (enabled).

It is on by default...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Setup SSL for HEC (6.5.2)

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats