Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The overview of my task is to send the the live data logs from rsyslog to my splunk UI to monitor it

Ramachandran
Explorer
‎05-14-2025 10:46 PM

I’m forwarding logs from an EC2 instance using rsyslog with the omhttp module to a Splunk HEC endpoint running on another EC2 instance (IP: 172.31.25.126) over *port 8088*.My rsyslog.conf includes: rsyslog
 module(load="omhttp") action(type="omhttp"
   server="172.31.25.126"
   port="8088"
   uri="/services/collector/event"
   headers=["Authorization: Splunk <token>"]
   template="RSYSLOG_SyslogProtocol23Format"
   queue.filename="fwdRule1"
   queue.maxdiskspace="1g"
   queue.saveonshutdown="on"
   queue.type="LinkedList"
   action.resumeRetryCount="-1"
 )### Problem:Even though I’ve explicitly configured port 8088, I get this error: omhttp: suspending ourselves due to server failure 7: Failed to connect to 172.31.25.126 port 443: No route to hostIt seems like omhttp is still trying to use *HTTPS (port 443)* instead of *plain HTTP on port 8088*.---### Questions:1. How do I force the omhttp module to use HTTP instead of HTTPS?
2. Is there a configuration parameter to explicitly set the protocol scheme (http vs https)?
3. Is this behavior expected if I just set the port to 8088 without configuring the protocol?Any insights or examples are appreciated. Thanks!

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-15-2025 07:43 AM

1. The parameter is indeed serverPort, not Port (and I'm a bit surprised that you didn't get an error for unknown option for that action).

2. useHttps="on" is indeed the way to go to enable TLS on this module.

3. With HTTPS you will either need to disable peer certificate verification (strongly discouraged) or will need to provide proper CA.

4. For HEC you will need to provide token

httpheaderkey="Authorization"
httpheadervalue="Splunk your-token-value"

5. For performance, you will most probably want to send events in batches. For example:

batch="on"
batch.format="newline"
batch.maxsize="256"

6. For /event endpoint you will need another template. Posting raw syslog to the /event endpoint will yield format errors. You need to render your event to json containing raw message as "event" field.

7. The omhttp uses restpath and checkpath options, not uri.

 restpath="services/collector/event"
checkpath="services/collector/health"

8. Remember that if you're posting to the /event endpoint you're skipping timestamp recognition so if you're not providing it explicitly in the "time" field of your posted data, it will be assigned the time of ingestion.

Reply

Ramachandran
Explorer
‎05-15-2025 09:14 PM

Could you help me with guiding me for setting up these whole thing. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-16-2025 01:41 AM

You got a lot of hints already. What have you compiled from them?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-14-2025 11:28 PM

Hi @Ramachandran 

To force the omhttp module to use HTTP instead of HTTPS, you need to specify the usehttps parameter and set it to off.

action(type="omhttp"
   server="172.31.25.126"
   serverport="8088"
   usehttps="off"
   uri="/services/collector/event"
   headers=["Authorization: Splunk <token>"]
   template="RSYSLOG_SyslogProtocol23Format"
   queue.filename="fwdRule1"
   queue.maxdiskspace="1g"
   queue.saveonshutdown="on"
   queue.type="LinkedList"
   action.resumeRetryCount="-1"
)

 

The usehttps parameter controls whether the module uses HTTPS or HTTP to connect to the server. By default, it is set to on, which means HTTPS is used. Setting it to off will force the module to use HTTP.

Additionally, you should use serverport instead of port to specify the port number.

The behavior you're seeing is expected if you only set the port to 8088 without configuring the protocol because the default protocol is HTTPS.

https://www.rsyslog.com/doc/v8-stable/configuration/modules/omhttp.html

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

Ramachandran
Explorer
‎05-14-2025 11:36 PM

Thanks for suggesting this bro,
Let me try this once and let you know what is the result.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...