Clicky

Using the Splunk HTTP Event Collector with Layer8Insight

The Layer8Insight data forwarding service can package and transmit Layer8Insight data in a variety of formats over multiple protocols.

There are situations where the Splunk HTTP Event Collector is the preferred method for getting data from a end-user system to Splunk, e.g., encrypting data in transit without using the Splunk Universal Forwarder.

Layer8Insight and the Splunk HTTP Event Collector are easily configured to support this architecture.

First, setup the Splunk HTTP Event Collector in your Splunk instance. See this page for details about the configuration process. Make note of the web address/URL for your instance. Also, you will need to create and note the authorization token that is to be used for Layer8Insight data.

Now, one must configure the Layer8Insight data forwarder to send data to the Splunk HTTP Event Collector. The corresponding configuration details are below. This assumes you want to use HTTPS to get the benefits of encryption. Change the "Protocol" and "URL" fields to HTTP if encryption is not desired.

In the Layer8Insight configuration file (C:\<32-bit_PROGRAM_FILES>\OctoInsight\Layer8Insight\config.ini), set the output options as follows. You must provide the Splunk HTTP Event Collector address, port, and authorization token specific to your Splunk configuration 

[DataOutput#1]
DataCollectionScope=All
Protocol=SPLUNKHTTPS
DataFormat=SPLUNKJSON
URL=https://<INSERT_HEC_ADDRESS_AND_PORT>/services/collector/event
Authorization=Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
sourcetype=layer8:hecjson
source=layer8:https:json
index=layer8

Note, the fields "sourcetype", "source" and "index" can be changed if need be. The "source" and "index" fields can be omitted assuming the Splunk receiver is configured to set the values appropriately.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk