Splunkforwarder HEC input/output to another splunk...

fsource · ‎04-14-2021

Hello,

i'm triing to use an UF to forward HEC from internet data to another UF in our DMZ

look like :

httplistner input (UF1) httpout output --> httplistner input (UF2 in DMZ) S2S output --> Splunk enterprise in lan

if i curl both of http listener i got success,

curl -k -u "x:TOKEN" "https://UF1:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

curl -k -u "x:TOKEN" "https://UF2:8088/services/collector/event" -d '{"event": "Hello, world!"}'
{"text":"Success","code":0}

But i got events in my splunk indexeur only on the second curl, the first one look like the output never forward to the UF2...

Nothing in both uf1-2 logs about errors.

My /opt/splunkforwarder/etc/system/local/outputs.conf on UF1 look like:

[tcpout]
defaultGroup = default-autolb-group
disabled = 1

[httpout]
disabled = 0
httpEventCollectorToken = MYTOKEN
uri = https://UF2-IP:8088
batchSize = 65536
batchTimeout = 5

Thks for help !!

Flo V.

Splunkforwarder HEC input/output to another splunkforwarder

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!