All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How you can send Fire-eye data using HEC methood

Splunk_rocks
Path Finder
‎12-20-2019 11:03 AM

Hello Splunkers,

Im posting this answers here since lack of documentation from splunk side to get fire-eye data using HEC method.

Step1 - Generate HEC token in your splunk side as normal way and select index and sourcetype etc..

Step2 - Go fire-eye console and use below settings to update
a. Under Appliance Settings > Notifications > HTTP, configure a new HTTP Server as follows..

 URL: https:///services/collector/raw
 Auth: True
 Username: x
 Password: Splunk token generated in Step 1
 SSL Enable: True
Test the Integration
Run a test on an endpoint that would trigger an XPLT, EXC or PRS alert
Alternatively, you can also test with the following curl command:
curl -k -u "x:" https://10.xx.250.12:8088/services/collector/raw -d '{"event":"Basic Auth!"}'

I hope this answer will help other splunkers on fire-eye data issues through HEC method.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...