HEC HWF behind AWS Loadbalancer. ELB or ALB?

brent_weaver · ‎12-09-2020

Hello all. I am wondering what’s the best choice for putting the HTTP event collector behind an AWS load balancer. It would seem to me that an application load balancer would be appropriate for HTTP traffic, as opposed to a traditional load balancer.

thoughts?

MKozanic · ‎09-05-2022

Hi @brent_weaver,

Just wondering what you ended up using and how it went?

TheColorBlack · ‎09-15-2022

From personal experience I use application loadbalancers for all of my HEC endpoints exposed to the internet. Via loadbalancer configuration I expose TCP port 443 to the internet and forward TCP port 8088 (standard HEC port) to backend EC2 instances acting as Heavy Forwarders.

The security group attached to the loadbalancer allows inbound traffic from the external sources I expect (mainly AWS Kinesis Firehose address space) and the outbound portion of the security group rule allows communication with the subnets my EC2 instances sit in.

For healthcheck monitoring on the target group I monitor this endpoint "/services/collector/health" over HTTPS for successful HTTP response codes 200-299 with a 5 second timeout.

HEC HWF behind AWS Loadbalancer. ELB or ALB?

heavy forwarder

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!