Getting Data In

How to set up a Universal Forwarder to allow it to receive logs via the REST API?

sujitdmello
New Member

We have a Universal Forwarder (UF) installation on premises that collects logs from various UF Agents and sends them to Splunk Cloud.

But we also want to be able to send logs via an API to the forwarder. These are logs that are coming from other sources that don't have the agent. How do we set up the receiver on the universal forwarder to allow it to receive logs via the REST API ?

These are all Windows based.

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

Perhaps you can use Set up and use HTTP Event Collector , it was built for this purpose...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

Perhaps you can use Set up and use HTTP Event Collector , it was built for this purpose...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

View solution in original post

0 Karma

sujitdmello
New Member

That's what I wanted to do but this is what is mentioned in the docs:

Note: Deploying HTTP Event Collector on a forwarder requires the use of a full Splunk Enterprise install configured as a forwarder—that is, a heavy forwarder. HTTP Event Collector is not supported on universal forwarders.

Sujit

0 Karma

gjanders
SplunkTrust
SplunkTrust

The documentation probably needs an update, I just tested on a 6.5.2 forwarder and it worked fine !

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

gjanders
SplunkTrust
SplunkTrust

FYI I asked the development team via email and they said using the HEC on the universal forwarder is not currently a supported configuration even though it works...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

fred070
New Member

Agree that Splunk UF with HEC works via an unsecured connection.

Not working though, if using secured socket (it might require SSL Certificates)

0 Karma

sujitdmello
New Member

Thanks for the confirmation.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.