This is a writeup about sending Logstash data to Splunk using the HTTP Event Collector. Logstash provides an immense filtering capability which can be used to screen and reduce data before it hits the Splunk indexers. Additionally, Logstash can accept a vast array of inputs, and provides a middleware capability when translating Elastic Beats into Splunk logs. Using the Elastic Common Schema inside Splunk works perfectly well, as dotted fields (ex. source.ip) function without issue in the pipeline, and standard field renames (ex. turn periods into underscores, etc) can be applied either in Splunk or Logstash. Further decoupling of services, and increased data durability, can be achieved by using a Kafka cluster between Logstash and Splunk, but that is beyond the scope of this writeup.

* = Splunk Deployment Servers can manage endpoint software in some circumstances

Official Documentation: Configure HTTP Event Collector on Splunk Enterprise

Settings --> Add Data --> Monitor --> HTTP Event Collector

Name: "webtoken" (or any desired name)
UNCHECK: Enable indexer acknowledgement

click Next

this is where you will decide which index this token is written to upon being received

Create a new index
	Index Name: logstash
	(leave rest defaults for this demo)
	Save
Select Allowed Indexes --> click logstash to "whitelist" the index for this token

click Review --> Submit

copy the token and save it for later
# note this token was used for this writeup, then deleted
	c6012558-7817-45e0-a3a5-7dfc876e1bf3

Settings --> Data inputs --> HTTP Event Collector --> Global Settings (top right)

these default source type settings will not affect which actual source type this token is written to, as we will change that in the following step (note you cannot create a new source type from this panel)

# note HTTP Event Collector settings screen is where the token can be retrieved again if needed
All Tokens: Enabled
Default Source Type: Structured --> _json
Default Index: logstash
UNCHECK: Use Deployment Server
UNCHECK: Enable SSL (will be added later in the instructions)
HTTP Port Number: 8088 (default)

Settings --> Source types --> New Source Type (top right)

it is very important to set Indexed Extractions to "none", otherwise Splunk will display duplicated data as it double-parses the JSON

Name: winlogbeat
Description: Windows endpoint data
Destination app: Search & Reporting
Category: Operating System
Indexed Extractions: none
# additional configurations should be made to set "@timestamp" as the document time field with the appropriate time zone, but that is not critical to this demo as both _time and @timestamp can be utilized for the same purpose

Settings --> Data inputs --> HTTP Event Collector --> Edit (on appropriate source type name)

Source Type: winlogbeat

note the usage of the /services/collector/raw endpoint; the event (vs raw) endpoint is unreliable when sending POST data from Logstash

output {
	http {
		content_type => "application/json"
		http_method => "post"
		url => "http://your-splunk-server:8088/services/collector/raw"
		headers => ["Authorization", "Splunk c6012558-7817-45e0-a3a5-7dfc876e1bf3"]
	}
}

• use one token per index+sourcetype, and name/describe them accordingly
• harden and firewall your assets; do not allow the entire world, or even the whole corporate network, to reach the ingest ports
• certificates don't last forever; include the Splunk keys in your key management processes (and don't forget the Logstash stores)
• Logstash --> Kafka <-- Splunk: this setup is more durable and reduces data loss if the Splunk cluster goes down for some reason

• generate SSL/TLS certificates
• configure the Logstash truststore and keystore