I'm trying to use the recently released 8.1.0 Universal Forwarder to send logs over HTTP: https://docs.splunk.com/Documentation/Forwarder/8.1.0/Forwarder/Configureforwardingwithoutputs.conf#Configure_the_universal_forwarder_to_send_data_over_HTTP
I have my outputs.conf configured as described in that configuration:
[httpout]
httpEventCollectorToken = [my_hec_token]
uri = http://[my_splunk_url]:8088
batchSize = 65536
batchTimeout = 5
I am also able to curl the HTTP Event Collector and successfully test the endpoint from the machine running the Universal Forwarder:
curl -k http://[my_splunk_url]:8088/services/collector/event -H "Authorization: Splunk [my_hec_token]" -d '{"event": "hello world"}'
{"text":"Success","code":0}
However when I start the Universal Forwarder, it shows the following error in the splunkd.log:
10-20-2020 14:41:40.989 +0000 ERROR S2SOverHttpOutputProcessor - HTTP 404 Not Found
10-20-2020 14:41:50.103 +0000 WARN TailReader - Could not send data to output queue (parsingQueue), retrying...
I have tried using https (although I know that the HEC endpoint in this case does not use https) and I have tried providing the /services/collector/event or /services/collector url paths in the config, but when doing any of these I instead get a 502 error in the log.
How can I troubleshoot this?
... View more