Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

HTTP Event Collector for SC4S is giving Error Message

mosaddek
Observer
‎03-08-2026 01:23 AM

We have configured a Splunk Enterprise distributed environment with the following components:

  • 2 Search Heads (SH)

  • 2 Indexers (IDX)

  • 1 Management Node (acting as Cluster Manager, License Manager, and Deployer)

  • 1 Heavy Forwarder (HF)

  • 1 Deployment Server (DS)

  • 1 SC4S instance

During the SC4S configuration, we are seeing errors in Splunk searches indicating that logs are not being properly forwarded through the HTTP Event Collector (HEC).

Below are some of the events we see in the sc4s:event sourcetype:

- - syslog-ng 139 - [meta sequenceId="8133"]
Server disconnected while preparing messages for sending, trying again;
driver='d_hec_fmt#0', location='root generator dest_hec:5:5',
worker_index='0', time_reopen='10', batch_size='84'

host = splunk-sys01
source = sc4s
sourcetype = sc4s:events
 
- - syslog-ng 139 - [meta sequenceId="8131"]
http: Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found;
url='https://192.168.44.94:8088/services/collector/event',
status_code='403',
response='{"text":"Invalid token","code":4}',
driver='d_hec_fmt#0', location='root generator dest_hec:5:5'

host = splunk-sys01
source = sc4s
sourcetype = sc4s:events
 

We have already:

  • Enabled HEC on the Splunk side

  • Configured the HEC token

  • Added the token and HEC endpoint in the SC4S env_file Restarted the SC4S service

However, the logs indicate HTTP 403 – Invalid token errors when SC4S attempts to send events to the HEC endpoint.

Question

What could be causing the Invalid Token (HTTP 403) error in this setup, and what troubleshooting steps should we follow to resolve the issue so that SC4S can successfully forward logs to the indexers?

Screenshot 2026-03-08 150544.png

Screenshot 2026-03-08 103818.png"

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-10-2026 11:07 PM

Hi @mosaddek 

Can you confirm the variable name used in SC4S env_file for the token please?

Also can you confirm you're using the GUID for the HEC token and not the name of it? The token should be something like d79f596e-2b07-46dc-a7e1-320d1e086580

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

mosaddek
Observer
‎03-09-2026 08:28 PM

Solved the Problem by creating the HEC in CM, and push it to all the Indexers.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-08-2026 02:40 PM

1. Why do you have a deployer if you have just two SHs (so no SH cluster).

2. Have you checked manually if you can post an event to your HEC endpoint? https://help.splunk.com/en/splunk-enterprise/get-data-in/collect-http-event-data/http-event-collecto...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...