I know that this is an old thread, however, after a lot of browsing I was able to make AWS pipe AWS Flow logs to Splunk HEC with letsencrypt cert and without needing to use ACM. All one has to do is see if they get correct letsencrypt cert when you browse to HEC endpoint like so. curl -k https://yoursplunkinstanceDOTcom:8088/services/collector/event -H "Authorization: Splunk <Token>" -d '{"event":"hello world"}' -v If you don't see your letsencrypt cert here. You have to create a combinedsplunk.pem from these three files. cd /etc/letsencrypt/live/your-server-hostname/
cat cert.pem privkey.pem chain.pem > /opt/splunk/etc/auth/viewdns/combinedsplunk.pem
chmod 600 /opt/splunk/etc/auth/viewdns/combinedsplunk.pem
chgrp splunk:splunk /opt/splunk/etc/auth/viewdns/combinedsplunk.pem Then you have to create inputs.conf file and ensure it is readable by splunk user. cd /opt/splunk/etc/system/local/
cat inputs.conf
[http]
disabled = 0
index = main
enableSSL = 1
serverCert = /opt/splunk/etc/auth/yoursplunkinstance/combinedsplunk.pem
sslPassword =
crossOriginSharingPolicy = * Then restart splunk. /opt/splunk/bin/splunk restart
Now you should be able to go to HEC without any SSL error even without the -k switch in curl which asks curl to ignore SSL cert errors. curl https://yoursplunkinstanceDOTcom:8088/services/collector/event -H "Authorization: Splunk <Token>" -d '{"event":"hello world"}' -v
... View more
