Recently we’ve been seeing a bunch of questions coming in related to errors when folks try to send events to HEC (HTTP Event Collector) from the browser and the requests are denied. One reason you might want to send from the browser is to capture errors or logs within your client-side applications. Another is to capture telemetry / how the application is being used. It is a great match for HEC however…
Making calls from a browser to Splunk get you into the world of cross-domain requests and CORS. In this post I’ll describe quickly what CORS (Cross Origin Resource Sharing) is and how you can enable your browsers to take advantage of HEC.
Splunk supports CORS and it can be enabled within conf. Depending on the version of Splunk, where you enable it differs. In Splunk 6.4, this will be enabled in the [http] stanza of inputs.conf. Which is specific for HEC. You’ll see the crossOriginSharingPolicy setting here.
If you are using Splunk 6.3, then the setting is in server.conf under [httpserver] and applies generally to the REST API as well. Once the policy is properly configured, browsers will be able to make cross domain requests.
Note: For Splunk Cloud customers, you will need to work with support to get this enabled.
Caveats on SSL and CORS
There is one big caveat though, the SSL cert on the Splunk side MUST be a valid cert. This is not a Splunk constraint, this is a constrain for browsers like Chrome, Firefox etc. Without a valid SSL cert the request will complete and you will get an error. The only way to work around this is to not use SSL (which I am guessing you don’t want to do).
Now depending again on which version of Splunk you are using determines where to configure the valid SSL cert. If you are in Splunk 6.4, this is also in inputs.conf. For Splunk 6.3 it is in server.conf under [sslconfig]
Note: If you are in Splunk Cloud trial or Single Instance then the cert is self-signed and you cannot change it today.
Enjoy having fun with HEC and the browser!