topic Re: Routing received data TO an external HEC via HTTPS? in Getting Data In

Routing received data TO an external HEC via HTTPS?

Beaker77 — Wed, 20 Dec 2017 02:10:49 GMT

Is it possible to route a stream of data from a heavy forwarder or indexer TO an external non-Splunk HTTPS endpoint (HEC)? We have the requirement to forward off a subset of data to a third-party that has a HEC-equivalent endpoint, but need to do so securely (and be selective about what we send)

Any help greatly appreciated!

Re: Routing received data TO an external HEC via HTTPS?

abhijeet01 — Wed, 20 Dec 2017 07:07:30 GMT

Hi Beaker77,

Kindly check the below link, it will help you for the same.

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarddatatothird-partysystemsd

Re: Routing received data TO an external HEC via HTTPS?

Beaker77 — Wed, 20 Dec 2017 23:04:09 GMT

Hi @abhijeet01 - Thanks for that. Unfortunately this covers only a raw TCP stream or forwarding to a Syslog server, and is restricted to a server:port target as opposed to a HTTPS or REST-based endpoint.

Also, because the endpoint is not Splunk, sendCookedData must be set to false, and (as far as I am aware) this will result in the data being sent in cleartext which is not an option (at minimum we require HTTPS/TLS1.2)