From 562a34fdbf053d23ef27da9a48caf0bf482863d3 Mon Sep 17 00:00:00 2001 From: sbylica-splunk Date: Fri, 20 Mar 2026 10:57:03 +0100 Subject: [PATCH] feat: add SNI configuration option for HEC TLS destinations Add SC4S_DEST_SPLUNK_HEC__SNI env var to enable TLS Server Name Indication on HEC destinations. This allows SSL/TLS passthrough load balancers to route HTTPS traffic based on the target hostname sent during the TLS handshake. Made-with: Cursor --- docs/destinations.md | 1 + package/etc/conf.d/destinations/dest_hec/plugin.jinja | 3 +++ package/etc/conf.d/destinations/dest_hec/plugin.py | 1 + 3 files changed, 5 insertions(+) diff --git a/docs/destinations.md b/docs/destinations.md index 14463060e9..f60eb48a08 100644 --- a/docs/destinations.md +++ b/docs/destinations.md @@ -20,6 +20,7 @@ You can configure Splunk Connect for Syslog to use any destination available in | SC4S_DEST_SPLUNK_HEC_<ID>_MODE | string | "GLOBAL" or "SELECT". | | SC4S_DEST_SPLUNK_HEC_<ID>_TLS_VERIFY | yes(default) or no | Verify HTTP(s) certificates. | | SC4S_DEST_SPLUNK_HEC_<ID>_HTTP_COMPRESSION | yes or no(default) | Compress outgoing HTTP traffic using the gzip method. | +| SC4S_DEST_SPLUNK_HEC_<ID>_SNI | yes or no(default) | Enable TLS Server Name Indication (SNI). When enabled, SC4S sends the HEC destination hostname during the TLS handshake, which allows SSL/TLS passthrough load balancers to make routing decisions based on the target hostname. | ## HTTP Compression diff --git a/package/etc/conf.d/destinations/dest_hec/plugin.jinja b/package/etc/conf.d/destinations/dest_hec/plugin.jinja index 6d3421694f..5737c72988 100644 --- a/package/etc/conf.d/destinations/dest_hec/plugin.jinja +++ b/package/etc/conf.d/destinations/dest_hec/plugin.jinja @@ -44,6 +44,9 @@ destination d_hec{{ dest_mode }}{{ altname }}{ {%- if ssl_version %} ssl-version("{{ ssl_version }}") {%- endif %} + {%- if sni %} + sni(yes) + {%- endif %} ) use-system-cert-store(yes) body('{{ msg_template }}') diff --git a/package/etc/conf.d/destinations/dest_hec/plugin.py b/package/etc/conf.d/destinations/dest_hec/plugin.py index 056696b26d..9dc353e1e4 100755 --- a/package/etc/conf.d/destinations/dest_hec/plugin.py +++ b/package/etc/conf.d/destinations/dest_hec/plugin.py @@ -144,6 +144,7 @@ def hec_endpoint_collector(hec_path, url_hec): peer_verify=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{group}_TLS_VERIFY", "yes"), cipher_suite=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{group}_CIPHER_SUITE"), ssl_version=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{group}_SSL_VERSION"), + sni=os.getenv(f"SC4S_DEST_SPLUNK_HEC_{group}_SNI", "no").lower() in ["true", "1", "t", "y", "yes"], http_compression=http_compression )