Thanks. 

Could you elaborate?

My understanding is that  [httpout] will tunnel s2s over http to a HEC on the server.

This give us one-way communication possible, since the diode accepts the http-session and closes it with a "200 ok"-reply.

I mean that normally HEC input expects separate events in one of supported formats and you can see (as long as you decode the transport layer) the payload in clear text. httpout indeed does some magic to send s2s over HTTP but the contents are not readable in plain and cannot easily be manipulated. S2S can send both cooked and parsed data and as far as I remember also supports some in-transit compression. It also supports acknowledging within this protocol (not on a separate endpoint as with HEC).

Thanks for the explanation! 

Sending s2s over http works fine for us, and especially since log data can't be manipulated in-flight. 

Yes. s2s over http works relatively OK in a standard environment and over proxies/LB and such (that's why it was introduced I think - it's way easier for customers to allow outgoing http traffic to Cloud than to open ports to some unknown protocol - raises much less questions). But there is no guarantee that it will work when you try to manipulate the payload.

Thanks, that's what I've found as well. 

I did tunnel the data through a nginx reverse-proxy, and that forwarded the data as "complete" and not "chunked". 

The problem is that this will change the design of the network, and will require a new approval. So any workaround that don't require design-changes would be great.

//Johan