TLS and mTLS support
When sending data from an Edge Processor to a Splunk indexer using HEC, in most cases you can choose to secure communications using TLS or mutually authenticated TLS (mTLS).
Using TLS when sending data from Edge Processors to indexes through HEC
Splunk Enterprise and Splunk Cloud Platform indexers both support TLS. Splunk Cloud Platform indexers always require TLS.
When TLS is used, the Edge Processor requires the indexer to prove its identity using a valid set of TLS certificates. If the indexer cannot provide these certificates, then the Edge Processor does not connect to the indexer and does not send any data to it.
To use TLS, when configuring your Splunk platform HEC destination, make sure that the HEC URI value starts with https instead of http.
Using mTLS when sending data from Edge Processors to indexes through HEC
Splunk Cloud Platform indexers do not support mTLS for HEC connections. Only Splunk Enterprise indexes support mTLS.
When mTLS is used, both the Edge Processor and the indexer must prove their identities using valid TLS certificates. If either system cannot provide these certificates, then the Edge Processor does not connect to the indexer and does not send any data to it.
To use mTLS, when configuring your Splunk platform HEC destination, you must turn on the Authenticate identity using TLS certificates setting and then upload a client certificate, private key, and CA certificates. See the rest of this page for more information.