When using the splunk_hec driver windows logs forward to Splunk are not reaching Splunk and are generating the following error message:
Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.; url='http://YourServer:8088/services/collector/event', status_code='400', driver='d_splunk_hec#0', location='#buffer:4:3'
The following url() should be used in the splunk_hec configuration replacing with the server hostname of the Splunk server:
http://:8088/services/collector/raw
The string "event" is replaced with "raw" as seen above so the Windows logs can be parsed to Splunk.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center