uberAgent

Documentation

Contents
Contents
Previous document: Installing Splunk Next document: Installing and Configuring Elasticsearch & Kibana

Configuring Splunk’s HTTP Event Collector

In this article

What is HTTP Event Collector?

HTTP Event Collector (HEC) is a high-performance data input introduced with Splunk 6.3. It accepts plain text or JSON data sent via HTTP or HTTPS.

Clients must authenticate with a token in order to be able to send data to a HEC input. Multiple tokens can be generated per HEC input if required.

When to Use HTTP Event Collector?

HTTP Event Collector (HEC) is the only way to send uberAgent data to Splunk Cloud. But it is useful even with on-premises Splunk Enterprises. HEC forces clients to authenticate before being allowed to send and it can use HTTPS as data transport, which qualifies it for sending data over the internet.

uberAgent natively supports HEC. It can send the data it collects to HEC via HTTP or HTTPS.

Configuring HTTP Event Collector in Splunk Enterprise

Enabling HTTP Event Collector

To enable HTTP Event Collector (HEC) for uberAgent follow these steps:

  • From the system bar, click Settings -> Data Inputs
  • On the left side of the page, click HTTP Event Collector
  • In the upper right corner, click Global Settings. The following dialog comes up:splunk-http-event-collector-global-settings
  • In the All Tokens toggle button, select Enabled
  • Optionally change the HEC port or enable SSL/TLS
    • Note that Splunk’s default self-signed certificate is not trusted by uberAgent if it is not in Windows’ certificate store.
    • HTTP Event Collector shares SSL settings with the Splunk management server so check your server.conf for SSL configuration details.
  • Click Save

Creating an HTTP Event Collector Token

To use the HTTP Event Collector, you must configure at least one token. The token is what uberAgent uses when it connects to Event Collector to send data.

To create an HEC token for use with uberAgent follow these steps:

  • From the system bar, click Settings -> Data Inputs
  • On the left side of the page, click HTTP Event Collector
  • In the upper right corner, click New Token. The following dialog comes up:splunk-http-event-collector-add-data-01
  • Enter a name (e.g. uberAgent) and click Next. The following dialog comes up:splunk-http-event-collector-add-data-02
  • Leave everything at the defaults and click Review
  • On the next page click Submit
  • Copy the token value displayed. In the following screenshot that would be: 10C2F38B-CA7A-4850-8124-7A3191F82DBEsplunk-http-event-collector-add-data-03

Configuring uberAgent to Send to an HTTP Event Collector Input

To configure uberAgent to send its collected data to HEC the following configuration settings are required:

  • Servers: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
  • Protocol: must be set to HTTP (even when sending via HTTPS)
  • RESTToken: fill in the token created above. The token can optionally be encrypted with the uAEncrypt commandline tool.

Previous document: Installing Splunk Next document: Installing and Configuring Elasticsearch & Kibana
Miscellaneous

Imprint
Privacy Policy