Skip to main content

Collecting HEC (HTTP Event Collector) Sources

Tony Black
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM HEC
ENVIRONMENT: HTTP Event Collector
SUMMARY: Configuration Guide for Generic HTTP Event Collector on port 443

Overview

The Generic HTTP Event Collector (HEC) allows for the sending of application event and log data to Huntress over the HTTP and Secure HTTP (HTTPS) protocols (on port 443). Upon successfully configuring a source and the Generic HTTP Event Collector, the source will send data to the Collector URL. Sources configured this way will not have ECS normalized fields or categories but will have base level JSON parsing.

Each configured HEC log source that has sent data in the last 30 days counts as one Managed SIEM Data Source. Each Data Source is allocated and billed for 10 GB per month of ingestion, even if it sends less than that. You can send logs from multiple tenants through a single HEC source and token. To create additional billable Data Sources, configure additional HEC sources. See our Huntress Managed SIEM - Billing and Retention guide for more info.

Source Requirements

  1. The source must support token-based authentication.
  2. The source must send data in a JSON-formatted array with “event” as the top object.

Configuring the HTTP Event Collector

Authentication Token Creation

  1. Open the Huntress Portal
  2. Click on SIEM on the left navigation menu
  3. Click Source Management
  4. 07b3e43e-799c-4f09-b56f-375e92b69cbb.png
  5. Click Add Source
  6. Choose Generic HEC
  7. a1a31840-1691-4366-a3a8-9aaefb617d01.png
  8. Click Add
  9. 7bbf953f-2ccf-462b-9805-e90dc7806b80.png
  10. Set Configuration Details
    1. Select the appropriate Organization from the dropdown
    2. Enter a unique name of the source
    3. (Optional) Enter a description for the source
    4. ac9fa343-7edf-4f4c-b0c7-deadc2b8df48.png
  11. Click Save
  12. Record the HTTP Event Collector Token
    1. Note: Keep this secure as it is the equivalent of a password
    2. 336add1a-17a8-49cc-88fd-0edac233794a.png

Configuring the Source

Each log source will have it’s own unique configuration steps. However, as noted in the requirements section above it does need to support token-based authentication. If the source supports integration with Splunk’s HEC, the same mechanism and source configuration steps are supported by the Huntress HEC. The port should be 443.

Huntress HEC URL:

  • https://hec.huntress.io/services/collector

Additionally, we support listening on these additional URL's depending on the source service requirements:

  • https://hec.huntress.io/services/collector/event
  • https://hec.huntress.io/services/collector/raw

 

Related articles