What is HTTP Event Collector?

HTTP Event Collector (HEC) is a high-performance REST API data input. It accepts plain text or JSON data sent via HTTP or HTTPS.

Clients must authenticate with a token in order to be able to send data to a HEC input. Multiple tokens can be generated per HEC input if required.

When to Use HTTP Event Collector?

HTTP Event Collector (HEC) is the only way to send uberAgent data to Splunk Cloud. But it is useful even with on-premises Splunk Enterprise. HEC forces clients to authenticate before being allowed to send and it can use HTTPS as data transport, which qualifies it for sending data over the internet.

uberAgent natively supports HEC. It can send the data it collects to HEC via HTTP or HTTPS.

Configuring HTTP Event Collector in Splunk Enterprise

Enabling HTTP Event Collector in the UI

To enable HTTP Event Collector (HEC) for uberAgent follow these steps:

• From the system bar, click Settings > Data Inputs
• On the left side of the page, click HTTP Event Collector
• In the upper right corner, click Global Settings. The following dialog comes up:
  
• In the All Tokens toggle button, select Enabled
• Optionally change the HEC port or enable SSL/TLS
  • Note that Splunk’s default self-signed certificate is not trusted by uberAgent if it is not in the endpoint’s operating system certificate store.
  • HTTP Event Collector shares SSL settings with the Splunk management server so check your server.conf for SSL configuration details.
• Click Save

Creating an HTTP Event Collector Token in the UI

To use the HTTP Event Collector, you must configure at least one token. The token is what uberAgent uses when it connects to Event Collector to send data.

To create an HEC token for use with uberAgent follow these steps:

• From the system bar, click Settings > Data Inputs
• On the left side of the page, click HTTP Event Collector
• In the upper right corner, click New Token. The following dialog comes up:
  
• Enter a name (e.g. uberAgent) and click Next. The following dialog comes up:
  
• Leave everything at the defaults and click Review
• On the next page click Submit
• Copy the token value displayed. In the following screenshot that would be: 10C2F38B-CA7A-4850-8124-7A3191F82DBE
  

HTTP Event Collector Configuration Files

Splunk HTTP Event Collector can be configured through configuration files instead of the UI, which is often required for automation or for configuring settings that are not exposed in the UI. See Splunk’s documentation Set up and use HTTP Event Collector with configuration files for details.

Configuring uberAgent to Send to an HTTP Event Collector Input

To configure uberAgent to send its collected data to HEC the following configuration settings are required:

• Servers: comma-separated list of URLs starting with http or https, e.g.: http://server1:8088, https://server2:8088
• Protocol: must be set to HTTP (even when sending via HTTPS)
• RESTToken: fill in the token created above. The token can optionally be encrypted with the uAEncrypt commandline tool.

Please make sure to review the KB document Reuse of Open HTTP Connections.