Splunk 6.4 – Using CORS and SSL settings with HTTP Event Collector


In Splunk 6.4.x and beyond HTTP Event Collector has its own specific settings for CORS and SSL. To use CORS and SSL in 6.4, you must configure the new settings which are located in the [http] stanza of inputs.conf.


In Splunk 6.3.x, CORS and SSL settings for HTTP Event Collector are shared with Splunk’s REST API, and are set in server.conf in the [httpServer] and [sslConfig] stanzas.

In Splunk 6.4.x we’ve introduced dedicated settings for HEC. This means you can now have more fine-grained control of your HEC endpoint.

It also means if you were relying on CORS and SSL prior to 6.4, then you must configure the new settings in 6.4. They do not automatically migrate over.

The settings are located in the [http] stanza of inputs.conf located in %SPLUNK_HOME%/etc/apps/splunk_httpinput/local. Start at the sslKeysFile setting and you will see the new settings. Make sure you restart Splunk after updating the settings. Below for example is the setting for enabling CORS.

crossOriginSharingPolicy = <origin_acl> ...* List of the HTTP Origins for which to return Access-Control-Allow-* (CORS)  headers.* These headers tell browsers that we trust web applications at those sites  to make requests to the REST interface.* The origin is passed as a URL without a path component (for example  "").* This setting can take a list of acceptable origins, separated  by spaces and/or commas.* Each origin can also contain wildcards for any part.  Examples:    *://*  (either HTTP or HTTPS on any port)    https://*  (any host under, including itself).* An address can be prefixed with a '!' to negate the match, with  the first matching origin taking precedence.  For example,  "!*://* *://**" to not avoid  matching one host in a domain.* A single "*" can also be used to match all origins.* By default, the list is empty.




Glenn Block

Posted by