Collect HTTP events in Onum with new Splunk HEC integration

August 15, 2024

Send event data to Splunk directly via HTTP or HTTPS.

Efficiently ingest data into Splunk without the need for intermediary files or complex configurations.

The benefits of Splunk HEC

  • Efficiency: Reduces latency in data ingestion.
  • Ease of Integration: Uses standard protocols and is compatible with a wide variety of programming languages.
  • Security: Allows secure transmission of sensitive data.

Key features

Splunk HEC is a powerful tool for real-time data ingestion, especially useful in environments where data speed and security are critical.

  1. Real-Time Data Ingestion: sends data in real-time directly to Splunk from applications, services, and devices.

  2. HTTP/HTTPS Protocol: Uses HTTP and HTTPS protocols, making it easy to integrate a plethora of data sources.

  3. No Intermediate Files Needed: Eliminates the need for intermediary log files, reducing latency and simplifying the data ingestion process.

  4. Security: Offers authentication and encryption via HTTPS, ensuring data protection.

  5. Scalability: Handles large volumes of event data, making it suitable for enterprise applications and production environments.

  6. Flexible Configuration: Configures different tokens for various data sources-

Using Splunk Tokens

After logging in to your Splunk Cloud instance using your Splunk account credentials, go to the Splunk Cloud dashboard.

Select Settings and find the list of Tokens. Copy it to your clipboard to start using it in your Sink.

Use the token or script to authenticate requests to your Splunk Cloud instance. Typically, the token is sent in the authorization header of HTTP requests.

token value

Using a docker

Below are step-by-step instructions on using a Splunk HEC docker and a comprehensive list of the commands required.

  • docker pull splunk/splunk:latest
  • openssl genrsa -out ca.key 2048
  • openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj 
    "/C=US/ST=State/L=City/O=Organization/OU=Organizational Unit/CN=CA"
  • 
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    x509_extensions = v3_ca # The extensions to add to the self signed cert
    prompt = no
    
    [alt_names]
    IP.1 = your_local_ip
    DNS.1 = localhost
    DNS.2 = host.docker.internal
    
    [req_distinguished_name]
    C = US
    ST = State
    L = City
    O = Organization
    OU = Organizational Unit
    CN = localhost
    
    [req_ext]
    subjectAltName = @alt_names
    
    [v3_ca]
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = localhost
  • openssl genrsa -out server.key 2048
  • openssl req -new -key server.key -out server.csr -config openssl.cnf
  • openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extensions req_ext -extfile openssl.cnf
  • cat server.crt server.key > server.pem
  • mkdir -p ~/splunk/etc/auth
    cp server.pem ~/splunk/etc/auth/server.pem
    cp server.key ~/splunk/etc/auth/server.key
    cp ca.crt ~/splunk/etc/auth/cacert.pem
  • [sslConfig]
    enableSplunkdSSL = true
    serverCert = /opt/splunk/etc/auth/server.pem
    sslPassword = your_ssl_password
    
    [sslSettings]
    sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
  • [settings]
    enableSplunkWebSSL = true
    privKeyPath = /opt/splunk/etc/auth/server.key
    serverCert = /opt/splunk/etc/auth/server.pem
  • docker run -d \
    -e SPLUNK_START_ARGS='--accept-license' \
    -e SPLUNK_PASSWORD='your_splunk_password' \
    -v ~/splunk/etc:/opt/splunk/etc \
    -v ~/splunk/var:/opt/splunk/var \
    -p 8000:8000 \
    -p 8089:8089 \
    --name splunk splunk/splunk:latest