I am trying to on board Retina logs through HTTP Event Collector, however I am not having any luck on it.
Firewall has been opened, and I can see it being allowed, but it is not reaching the HEC.
We can see the below error when we try
SplunkClient.SendApiRequest failed with error 'The remote server returned an error:(404) Not Found'.
Not sure where the issue is, we have tried couple of different end points. However, I can use curl to send data. Has anyone on boarded data through HTTP Event Collector for BeyondTrust Retina?
Well, I don't own Beyond Trust application. However, they provided me access to console to troubleshoot. I just needed to add the following on the configuration page of BT
Then at the bottom they had a panel to checkmark what to send or something similar
Ahh, yeah I don't see the configuration page on BT. Unless you are referring to Tools-->Alerting-->Actions, but that doesnt have anything Splunk related other than the host value to send to
I believe since the data does not come through raw, it is considered already "cooked" and no index-time extractions can be applied. We are missing a severity field as well as the timestamp being 4 hours off. This is using the Splunk HEC connector. We might have to default back to syslog! Thanks for the help!