Splunk HEC Source

The Vector splunk_hec source ingests data through the Splunk HTTP Event Collector protocol and outputs log events.

Requirements

Configuration

vector.toml
[sources.my_source_id]
type = "splunk_hec" # required
address = "0.0.0.0:80" # optional, default
token = "A94A8FE5CCB19BA61C4C08" # optional, no default
  • stringcommonoptional

    address

    The address to accept connections on.

    • Default: "0.0.0.0:80"
  • tableoptional

    tls

    Configures the TLS options for connections from this source.

    • stringoptional

      ca_file

      Absolute path to an additional CA certificate file, in DER or PEM format (X.509), or an inline CA certificate in PEM format.

      • No default
      • View examples
    • stringcommonoptional

      crt_file

      Absolute path to a certificate file used to identify this server, in DER or PEM format (X.509) or PKCS#12, or an inline certificate in PEM format. If this is set and is not a PKCS#12 archive, key_file must also be set. This is required if enabled is set to true.

      • No default
      • View examples
    • boolcommonoptional

      enabled

      Require TLS for incoming connections. If this is set, an identity certificate is also required.

      • Default: false
      • View examples
    • stringcommonoptional

      key_file

      Absolute path to a private key file used to identify this server, in DER or PEM format (PKCS#8), or an inline private key in PEM format.

      • No default
      • View examples
    • stringcommonoptional

      key_pass

      Pass phrase used to unlock the encrypted key file. This has no effect unless key_file is set.

      • No default
      • View examples
    • booloptional

      verify_certificate

      If true, Vector will require a TLS certificate from the connecting host and terminate the connection if it is not valid. If false (the default), Vector will not request a certificate from the client.

      • WARNING: Setting this to `false` will cause OpenSSL to not request a certificate from the client
      • Default: false
      • View examples
  • stringcommonoptional

    token

    If supplied, incoming requests must supply this token in the Authorization header, just as a client would if it was communicating with the Splunk HEC endpoint directly. If not supplied, the Authorization header will be ignored and requests will not be authenticated.

    • No default
    • View examples

Fields

example log event
{
// ...
"message": "Started GET / for 127.0.0.1 at 2012-03-10 14:28:14 +0100",
"splunk_channel": "2019-11-01T21:15:47+00:00",
"timestamp": "2019-11-01T21:15:47+00:00"
// ...
}
  • stringcommonrequired

    message

    The raw log message, unaltered.

    • No default
    • View examples
  • timestampcommonrequired

    splunk_channel

    The Splunk channel, value of the X-Splunk-Request-Channel header.

    • No default
    • View examples
  • timestampcommonrequired

    timestamp

    If the Splunk HEC event endpoint is used then the value of the time field will be used. If the Splunk HEC raw endpoint is used, then the current time the event was received will be used.

    • No default
    • View examples

Examples

Given the following input:

Example input
Hello world

A log event will be output with the following structure:

Example log event
{
"timestamp": <2019-07-26T20:30:27.000443Z>, // time event was received,
"host": "my.host.com", // value of the `Host` header
"splunk_channel": "FE0ECFAD-13D5-401B-847D-77833BD77131" // value of the `X-Splunk-Request-Channel` header
}

How It Works

Environment Variables

Environment variables are supported through all of Vector's configuration. Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable will be replaced before being evaluated.

You can learn more in the Environment Variables section.

TLS

Vector uses Openssl for TLS protocols for it's battle-tested and reliable security. You can enable and adjust TLS behavior via the tls.* options.