I have been trying to implement the HTTP Event Collector, initially I setup Splunk Enterprise On-Premise on a Windows VM on Azure and tried to implement the HTTP Collector following the Splunk documentation below and although I could post locally I was unable to post from a remote location. I setup the appropriate security groups to allow 8088 and updated the firewall to allow 8088 but I couldn't post to the HEC remotely.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Data/HECWalkthrough
docs.splunk.com_Documentation_Splunk_7.1.2_Data_HECWalkthrough 9sorry for the formatting, don't have enough Karma points for link)

I then tried to use the AWS Marketplace Splunk Enterprise AMI Image thinking it might not have the same issue and tried to implement the HTTP Event Collector.

I have set up a test as per the documentation, enabling HEC and setting up a token and this is what I am experiencing.

If I post to the collector locally it works but if I try to post the same remotely (obviously with the correct IP rather than localhost) it doesn't work.

In AWS my NACL for the subnet currently allows all traffic and I have a security group attached to the instance that allows port 8000/8088 inbound. 8000 is working as I can get to the admin page and can telnet on port 8000 but I'm unable to telnet to port 8088 remotely (works locally)

[ec2-user@ip-10-0-1-156 ~]$ netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:57137 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN
tcp 0 0 :::33667 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN

Does anyone know if I'm missing a step or where I might be going wrong?

Thanks