HTTP Event Collector (HEC) configuration reference
The HTTP Event Collector (HEC) lets you send data and application events to your Splunk platform deployment over the HTTP and Secure HTTP (HTTPS) protocols. Data Manager creates HEC tokens for each of the following data sources:
Data Source | HEC token name |
---|---|
Amazon GuardDuty | data-manager-guardduty-{input_id}
|
AWS Security Hub | data-manager-securityhub-{input_id}
|
AWS IAM Access Analyzer | data-manager-iam-aa-{input_id}
|
AWS Cloudtrail | data-manager-cloudtrail-{input_id}
|
AWS IAM credential report and metadata | data-manager-lambda-{input_id}
|
AWS CloudWatchLogs | data-manager-cwl-{input_id}
|
- Check if the HEC token has been created successfully. Each HEC token name has a Data Manager input ID in it. You can find the
input_id
from the URL in the Data Input Details page for that input. - Check if the HEC token is in enabled state. If it is disabled, enable it.
- For CloudTrail, GuardDuty, SecurityHub, IAM Access Analyzer, and CloudWatch Logs, the HEC token must have indexer acknowledgement enabled.
- If any HEC token is missing for an input, delete the input. To learn more about deleting an input, see the Delete Your Data Inputs chapter in this manual.
Troubleshooting in Data Manager | Version management in Data Manager |
This documentation applies to the following versions of Data Manager: 1.3.1
Feedback submitted, thanks!