HTTP Event Collector and sending from the browser

Recently we’ve been seeing a bunch of questions coming in related to errors when folks try to send events to HEC (HTTP Event Collector) from the browser and the requests are denied. One reason you might want to send from the browser is to capture errors or logs within your client-side applications. Another is to capture telemetry / how the application is being used. It is a great match for HEC however…

Making calls from a browser to Splunk get you into the world of cross-domain requests and CORS. In this post I’ll describe quickly what CORS (Cross Origin Resource Sharing) is and how you can enable your browsers to take advantage of HEC.

Problem

Browser clients are trying to send events to HEC from Javascript and the requests are denied. The issue is related to CORS .  Most browsers by default (Chrome, Safari) are not going to allow cross-domain requests (which includes HEC) unless they are authorized. A cross-domain call is when a page served from one domain (like a website) tries to make a request from a script to another domain (like the Splunk server). The browser will first go and make a pre-flight request asking the target server who is allowed to access it and what methods are supported. The server may respond with an Access-Control-Allow-Origin header which includes either a wildcard (*), or a list of domains that are acceptable. Assuming the browser gets a response that indicates its origin is permitted then it will allow the request to go through. If it the origin is not permitted, then an HTTP Status 401 will get returned.

Solution

Splunk supports CORS and it can be enabled within conf. Depending on the version of Splunk, where you enable it differs. In Splunk 6.4, this will be enabled in the [http] stanza of inputs.conf. Which is specific for HEC. You’ll see the crossOriginSharingPolicy setting here.

If you are using Splunk 6.3, then the setting is in server.conf under [httpserver] and applies generally to the REST API as well. Once the policy is properly configured, browsers will be able to make cross domain requests.

Note: For Splunk Cloud customers, you will need to work with support to get this enabled.

Caveats on SSL and CORS

There is one big caveat though, the SSL cert on the Splunk side MUST be a valid cert. This is not a Splunk constraint, this is a constrain for browsers like Chrome, Firefox etc. Without a valid SSL cert the request will complete and you will get an error. The only way to work around this is to not use SSL (which I am guessing you don’t want to do).

Now depending again on which version of Splunk you are using determines where to configure the valid SSL cert. If you are in Splunk 6.4, this is also in inputs.conf. For Splunk 6.3 it is in server.conf under [sslconfig]

Note: If you are in Splunk Cloud trial or Single Instance then the cert is self-signed and you cannot change it today.

Enjoy having fun with HEC and the browser!

----------------------------------------------------
Thanks!
Glenn Block