Before you begin, please review our Log Pipeline article if you have not already!
Setting up a Splunk HTTP Event Collector
To add a Splunk HTTP Event Collector
Click the Add New Destination button on the Log Pipeline / Log Destinations page.
Select Splunk HEC from the dropdown.
Provide a Display Name for your HEC. This will help you differentiate it from your other configured log destinations.
Provide the secret token for your Splunk HEC. This can be found by visiting the Data Inputs -> HTTP Event Collector screen of the Splunk Cloud dashboard:
Copy the ‘Token Value’ and paste it into the ‘New Splunk HTTP Event Collector’ form’s "HEC Token" field.
5. Provide the URL endpoint for your Splunk HEC. You can find documentation for HEC URLs here: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector. Generally, if you are using Splunk Cloud, the URLs follow the format:
https://[input or http-input]-<SPLUNK INSTANCE URL>.cloud.splunk.com:<PORT>/services/collector/event.
We recommend not using the .../collector/raw endpoint since the Kolide log pipeline emits structured JSON logs appropriate for the /services/collector/event endpoint.
6. Choose whether to send either (or both) Status Logs and Result Logs.
7. We strongly recommend that you leave the ‘Validate TLS’ box checked, but we have observed that some splunk deployments use a self-signed TLS certificate, which causes TLS validation to fail. If you find this to be a problem (you’ll see an error notice after you save the form), try un-checking this box.
Once you click ‘Save’, Kolide will send a test event to your splunk instance. The event should look like this:
{"event":{"key":"kolide_testing","ts":"2020-06-02T19:13:54.022Z"}}If your Splunk instance does not respond successfully, you will see an error message informing you of the failure.
NOTE:
Splunk HEC Indexer Acknowledgement is not currently supported.