We'd have to see your config to see why your httpout didn't work. In general it does work.

And SC4S is something completely different. You shouldn't receive syslog directly on a HF anyway.

Configuration:

inputs.conf

[udp://1514]
connection_host = dns
host = SERVERA
sourcetype = pan:firewall

props.conf

[source::udp:1514]
TRANSFORMS-route = route_to_hec

transforms.conf

[route_to_hec]
REGEX = .
DEST_KEY = _HTTP_ROUTING
FORMAT = sandbox_hec

Outputs.conf

[httpout]
defaultGroup = sandbox_hec
indexAndForward = false
disabled = false

[httpout:sandbox_hec]
httpEventCollectorToken = <omitted>
uri = https://something.something.com:443
sslVerifyServerCert = false
disabled = false

In that setup, I had a packet capture running on the server (Win2022) and never saw it even attempt to connect to the HEC.  I sent curls to the HEC and got good results from the same server.

OK. You can't have multiple httpout groups. It's not tcpout. At this point you have either tcpout (possibly multiple output groups) or a single httpout output. And there is no _HTTP_ROUTING key. It mistakenly appeared in the docs back around 7.something version but was removed since it was an error.

You shouldn't receive syslog directly on a HF anyway.

Out of curiosity, why?

Here's my scenario:

I have one device type I'm receiving traffic from.  Palo Alto Firewall (3-5 at the most).  I'm not mixing multiple devices over the same port.  I would never send the traffic to 514, because it is sitting behind the root user.  It takes seconds to switch to a non-root port.

The traffic will be sent on UDP-1514, because if I send it on TCP-1514 I'll be restarting the syslog service on the Palo every other week.  Yes, this has been a problem with multiple environments and versions of PANOS.

I have a temporary need to capture ~90 Days worth of traffic.  After that, the HF and the syslog will be shutdown.

I am not trying to record all logs for posterity/security reasons.

What I need is something that can be setup in under an hour with minimal config, minimal server knowledge, and can run reliably for 90 days to ingest syslog and send it via HTTPS to the internet Splunk Environment.

There are several cons to receiving syslog directly on a HF (or UF).

- it's more complicated to manage - Splunk doesn't reliably capture network-level metadata so for receiving different types of sources you need to bend over backwards, use multiple ports and/or do strange things in index-time.

- it's usually more resource intensive than using dedicated syslog daemons

- it's more robust to use a separate syslog component - especially with UDP transport and especially with HF which can take significant time to restart when needed causing holes in your received data.

In some situations (as your might as well be) it's "good enough" but I'd rather use a dedicated syslog component in prod.

Let me clarify terms and be more specific:

S2S+TLS = Splunk to Splunk Protocol with TLS Encryption
HTTPS = HTTP Protocol with TLS Encryption

I would like to use the HTTP protocol with TLS to send data from a Heavy Forwarder to a HTTP Event Collector (HEC).
There are configuration options in the outputs.conf spec for doing this.

This post also says something similar:
How to send data to two output types, [tcpout] and... - Splunk Community

"It also states httpout is only supported on UFs but it works on HFs as well. I've tested with both httpout and tcpout but httpout will take precedence every-time."

From everything I can tell, it never works.  It doesn't even make an attempt to connect to the HEC (verified via packet capture).

Heavy forwarder with httpout to indexer cluster - Splunk Community


httpout is not a HEC output (although it needs an HEC input and valid HEC token; it's complicated). It's s2s protocol embedded in http transport. It is indeed a fairly recent invention mostly aimed at situations like yours - where it's easier (politically, not technically) to allow outgoing http traffic (even if it's only pseudo-http) than some unknown protocol.

Maybe, this is the correct explanation.