Getting Data In

HEC HTTP Event Collector not listening remotely on port 8088

lwilliamcap
New Member

I have been trying to implement the HTTP Event Collector, initially I setup Splunk Enterprise On-Premise on a Windows VM on Azure and tried to implement the HTTP Collector following the Splunk documentation below and although I could post locally I was unable to post from a remote location. I setup the appropriate security groups to allow 8088 and updated the firewall to allow 8088 but I couldn't post to the HEC remotely.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/HECWalkthrough
docs.splunk.com_Documentation_Splunk_7.1.2_Data_HECWalkthrough 9sorry for the formatting, don't have enough Karma points for link)

I then tried to use the AWS Marketplace Splunk Enterprise AMI Image thinking it might not have the same issue and tried to implement the HTTP Event Collector.

I have set up a test as per the documentation, enabling HEC and setting up a token and this is what I am experiencing.

If I post to the collector locally it works but if I try to post the same remotely (obviously with the correct IP rather than localhost) it doesn't work.

In AWS my NACL for the subnet currently allows all traffic and I have a security group attached to the instance that allows port 8000/8088 inbound. 8000 is working as I can get to the admin page and can telnet on port 8000 but I'm unable to telnet to port 8088 remotely (works locally)

[ec2-user@ip-10-0-1-156 ~]$ netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57137 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN
tcp 0 0 :::33667 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN

Does anyone know if I'm missing a step or where I might be going wrong?

Thanks

Tags (1)
0 Karma

divvit
New Member

are you able to solve your problem. please share your solution

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...