HTTP Event Collector (HEC) configuration reference
The HTTP Event Collector (HEC) lets you send data and application events to your Splunk platform deployment over the HTTP and Secure HTTP (HTTPS) protocols. Data Manager creates HEC tokens for each of the following data sources:
Data Source | HEC token name |
---|---|
AWS Cloudtrail | data-manager-cloudtrail_<input_id>
|
Amazon GuardDuty | data-manager-guardduty_<input_id>
|
AWS Security Hub | data-manager-security_<input_id>
|
AWS IAM Access Analyzer | data-manager-iam-aa_<input_id>
|
AWS IAM credential reports and metadata | data-manager-iam-cr_<input_id>
|
AWS CloudWatchLogs | data-manager-cwl_<input_id>
|
AWS Lambdas | data-manager-lambda_<input_id>
|
Azure Active Directory | data-manager-azure-ad_<input_id>
|
Azure Activity Logs | data-manager-azure-activity_<input_id>
|
Google Cloud Platform | data-manager-gcp-cloud-logging_<input_id>
|
- The
<input_id>
in each token is a placeholder. It will be replaced by a real input id. For example,data-manager-gcp-cloud-logging_<input_id>
would bedata-manager-gcp-cloud-logging_f7b76892-f3f3-4103-8008-5f07202a2b97
. - Check if the HEC token has been created successfully. Each HEC token name has a Data Manager input ID in it. You can find the
input_id
from the URL in the Data Input Details page for that input. - Check if the HEC token is in enabled state. If it is disabled, enable it.
- For CloudTrail, GuardDuty, SecurityHub, IAM Access Analyzer, and CloudWatch Logs, the HEC token must have indexer acknowledgement enabled.
- If any HEC token is missing for an input, delete the input. To learn more about deleting an input, see the Delete Your Data Inputs chapter in this manual.
Azure Inputs Health | Version management in Data Manager |
This documentation applies to the following versions of Data Manager: 1.6.0
Feedback submitted, thanks!