PoC to secure HEC using Let's Encrypt certificates.
- Create the certificates
splunk-hec-secure/scripts/create-certs.sh
Lines 3 to 31 in 0c991a9
At the end of the script the following should be
in $SPLUNK_HOME/etc/auth/mycerts
-rw-r--r--. 1 splunk splunk 5242 Feb 12 16:06 fullchain.pem
-rw-r--r--. 1 splunk splunk 5483 Feb 12 16:06 hec.pem
-rw-r--r--. 1 splunk splunk 1939 Feb 12 16:06 isrgrootx1.pem
-rw-------. 1 splunk splunk 241 Feb 12 16:06 privkey.pem
- Use the following for
inputs.conf
[http]
disabled = 0
index = your-hec-index-name
enableSSL = 1
serverCert = /etc/letsencrypt/live/your-server-hostname/hec.pem
sslPassword =
crossOriginSharingPolicy = *
Send a test event:
DOMAIN=dessy.one
SPLUNK_HOST=splunk
FQDN=${SPLUNK_HOST}.${DOMAIN}
curl -k https://$FQDN:8088/services/collector/event \
-H "Authorization: Splunk abcd-1234-efgh-5678" \
-d '{"event":"hello world"}' -v
Check for cert chain integrity:
DOMAIN=dessy.one
SPLUNK_HOST=splunk
FQDN=${SPLUNK_HOST}.${DOMAIN}
openssl s_client -connect $FQDN:8000
openssl s_client -connect $FQDN:8000
Run the following ideally once per day:
sudo certbot renew