Splunk® Enterprise

Add AWS VPC Flow Log data: Distributed deployment with indexer clustering

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Configure Elastic Load Balancer settings

Configure an Elastic Load Balancer for the Splunk Add-on for Amazon Kinesis Firehose in an AWS Virtual Private Cloud.

ELBs are required. Application load balancers and network load balancers are not supported.

Create an elastic load balancer

Follow these steps to configure your ELB properly to receive data. For more detailed information about Elastic Load Balancers, see Elastic Load Balancing Documentation in the AWS documentation.

Prerequisites

  • Amazon Kinesis Firehose requires the HEC endpoint to be terminated with a valid CA-signed SSL certificate. Import your valid CA-signed SSL certificates to AWS Certificate Manager or AWS IAM before creating or modifying your elastic load balancer. See Configure Security Settings in the AWS documentation.

Steps

  1. Open the Amazon EC2 console.
  2. On the navigation pane, under Load balancing, select Load Balancers.
  3. Create a classic load balancer with the following parameters:
    Field in Amazon Web Services ELB UI Value
    Select load balancer type Classic load balancer
    Load balancer name Name of your load balancer
    Load balancer protocol HTTPS. Use the default or change the load balancer port.
    Assign or select a security group The chosen security group needs to allow inbound traffic from load balancer to HTTP event collector port on indexers.
    Configure security settings Select your CA-signed SSL certificate that you imported in the prerequisites step.
    Health Check settings Ping protocol: HTTPS

    Ping port: 8088
    Ping path: HTTPS:8088/services/collector/health/1.0
    Timeout: 60 seconds
    Interval: 300 seconds
    Unhealthy threshold: 10
    Healthy threshold: 2

    Add EC2 instances Add all indexers that you are using to index data with this add-on.
  4. Click Review and create, and verify in the following review page that your load balancer details are correct. After creating your elastic load balancer, modify the port configuration and the attributes as described below.

Modify an existing load balancer with the proper settings

Prerequisites

  • An elastic load balancer that has been configured with the correct basic settings. This includes setting the load balancer protocol to HTTPS and uploading a valid CA-signed SSL certificate.

Steps

  1. From the Load balancers page in the EC2 console, select your elastic load balancer with the basic settings already configured.
  2. Modify your load balancer with the following parameters:
    Field in Amazon Web Services ELB UI Value
    Health Check settings Ping protocol: HTTPS

    Ping port: 8088
    Ping path: HTTPS:8088/services/collector/health/1.0
    Timeout: 60 seconds
    Interval: 300 seconds
    Unhealthy threshold: 10
    Healthy threshold: 2

    Port configuration Under Edit stickiness, select Enable load balancer generated cookie stickiness.

    Leave expiration period blank.

    Attributes Under Edit idle timeout, enter 600 seconds.
Last modified on 12 June, 2019
Distribute the HTTP Event Collector settings   Configure Amazon Kinesis Firehose to send data to the Splunk platform

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters