Version
HTTPS connection, as well as password- and certificate-based authentication is supported. The content of the events is sent in JSON format.
d_splunk_hec { splunk_hec( #mandatory index("<splunk-index-to-store-messages>") token("<event-collector-tokens>") url("http://your-splunk-server:8088/services/collector/event") ); };
On your Splunk deployment, you must enable HTTP Event Collector (HEC).
On your Splunk deployment, you must create a token for syslog-ng PE. You must use this token in the token() option of your splunk-hec() destination. We recommend to use the syslog source type for the token.
For details, see Set up and use HTTP Event Collector in Splunk Web.
The following example defines a splunk-hec() destination.
d_splunk_hec { splunk_hec( # mandatory index("<splunk-index-to-store-messages>") token("<event-collector-tokens>") url("http://your-splunk-server:8088/services/collector/event") # optional batch_lines(25) workers(4) source("syslog-ng") sourcetype("${.app.name:-syslog}") delimiter("\n") time("$S_UNIXTIME.$S_MSEC") host("$HOST") event("$S_ISODATE $HOST $MSGHDR$MSG\n") timeout(10)); ); }; log { source(s_file); destination(d_splunk_hec); flags(flow-control); };
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy