https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701293#M116060 <P>Hello,</P><P>I'm figuring out the best way to address the above situation. We do have a huge multisite cluster with 10 indexers on each site, a dedicated instance should act as the sc4s instance and send everything to a load balancer whose job will be to forward everything to the cluster.&nbsp;</P><P>now, there are several documentations about the implementation but I still can't wrap my head around the direct approach.&nbsp;</P><P>the SC4S config stanza would currently look something like this :<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">[http://SC4S] disabled = 0 source = sc4s sourcetype = sc4s:fallback index = main indexes = main, _metrics, firewall, proxy persistentQueueSize = 10MB queueSize = 5MB token = XXXXXX</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>several questions about that tho:<BR />- I'd need to create a hec token first, before configuring SC4S, but in a clustered environment - where do I create the hec token? I've read that I should create it on the CM and then push it to the peers but how exactly? I can't find much info about the specifics. especially since I try to configure it via config files.. so an example of the correct stanza that has to be pushed out would be somehow great - just can't find any.&nbsp;</P><P>- once pushed I need to configure the sc4s on the other side including the generated token (as seen above), does the config here seem correct? theres a lack of example configs so I'm spitballing here a little bit.</P><P>&nbsp;</P><P>Kind regards</P> Tue, 08 Oct 2024 13:06:38 GMT avoelk 2024-10-08T13:06:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701293#M116060 <P>Hello,</P><P>I'm figuring out the best way to address the above situation. We do have a huge multisite cluster with 10 indexers on each site, a dedicated instance should act as the sc4s instance and send everything to a load balancer whose job will be to forward everything to the cluster.&nbsp;</P><P>now, there are several documentations about the implementation but I still can't wrap my head around the direct approach.&nbsp;</P><P>the SC4S config stanza would currently look something like this :<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">[http://SC4S] disabled = 0 source = sc4s sourcetype = sc4s:fallback index = main indexes = main, _metrics, firewall, proxy persistentQueueSize = 10MB queueSize = 5MB token = XXXXXX</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>several questions about that tho:<BR />- I'd need to create a hec token first, before configuring SC4S, but in a clustered environment - where do I create the hec token? I've read that I should create it on the CM and then push it to the peers but how exactly? I can't find much info about the specifics. especially since I try to configure it via config files.. so an example of the correct stanza that has to be pushed out would be somehow great - just can't find any.&nbsp;</P><P>- once pushed I need to configure the sc4s on the other side including the generated token (as seen above), does the config here seem correct? theres a lack of example configs so I'm spitballing here a little bit.</P><P>&nbsp;</P><P>Kind regards</P> Tue, 08 Oct 2024 13:06:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701293#M116060 avoelk 2024-10-08T13:06:38Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701295#M116061 <P>Create an app to be pushed from the CM to the IDX tier and put in an inputs.conf file.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_Local_stanza_for_each_token" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.3.0/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-_Local_stanza_for_each_token</A></P><LI-CODE lang="markup">[http://sc4s] token = XXXXX index = target-index-name ### This is the bare minimum I suggest ### SC4S may require a sourcetype, other vendor sources may already come with that value assigned</LI-CODE> Tue, 08 Oct 2024 13:17:18 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701295#M116061 dural_yyz 2024-10-08T13:17:18Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701356#M116069 <P><SPAN>Check out this link; it might be helpful for you.</SPAN></P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Setting-up-HEC-HTTP-Event-Collector-in-a-indexer-cluster/m-p/560975/highlight/true#M92683" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/Setting-up-HEC-HTTP-Event-Collector-in-a-indexer-cluster/m-p/560975/highlight/true#M92683</A></P> Tue, 08 Oct 2024 20:25:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701356#M116069 Jawahir 2024-10-08T20:25:36Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701360#M116070 <P>All "final" inputs that your LB balances traffic to need to have the same configuration so that they behave identically regardless of where your request is redirected - they have to have the same tokens defined, should set the same default metadata fields should they not be set by the sender, have the same queue parameters.</P><P>&nbsp;</P> Tue, 08 Oct 2024 21:10:26 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Connect-4-Syslog-SC4S-with-HEC-in-a-Clustered-Environment/m-p/701360#M116070 PickleRick 2024-10-08T21:10:26Z