中文 | English
A complete Splunk HTTP Event Collector (HEC) simulator for receiving and storing audit log streams.
- ✅ Fully Compatible with Splunk HEC API: Implements standard Splunk HEC endpoints
- ✅ Token Authentication: Supports Splunk standard token validation
- ✅ SSL Support: Optional HTTPS encrypted transmission
- ✅ High-Performance Async: Built on aiohttp async framework
- ✅ Event and Raw Data: Supports both data formats
- ✅ Auto Save: All received logs automatically saved as JSON files
- ✅ Health Check: Standard health check endpoint
pip install aiohttp aiofilespython splunk_simulator.pyThe service will start on http://0.0.0.0:8088 (Splunk HEC default port)
After startup, the console will display configuration information:
Splunk HEC Simulator Started
Listening address: http://0.0.0.0:8088
Configuration details:
Domain: localhost (or server IP)
Port: 8088
Token: your-hec-token-here
SSL: Disabled
Fill in the following parameters as required by the system:
| Parameter | Value | Description |
|---|---|---|
| Domain | localhost or server IP |
Server address running the simulator |
| Port | 8088 |
Splunk HEC standard port |
| Token | your-hec-token-here |
Valid token configured in code |
| Enable SSL verification | Uncheck | SSL verification not needed in HTTP mode |
Modify VALID_TOKENS in splunk_simulator.py:
VALID_TOKENS = {
"your-hec-token-here", # Default token
"my-custom-token", # Add custom token
"github-audit-token", # Other tokens
}POST /services/collector/event
Receive JSON format event data (single or batch)
Request Headers:
Authorization: Splunk your-hec-token-here
Content-Type: application/json
Request Body Example:
{
"event": {
"action": "user.login",
"user": "john@example.com",
"timestamp": "2025-10-25T10:30:00Z"
},
"sourcetype": "audit",
"index": "main"
}Response:
{
"text": "Success",
"code": 0,
"ackId": "uuid-here"
}POST /services/collector/raw
Receive raw text data
GET /services/collector/health
Response:
{
"text": "HEC is healthy",
"code": 17,
"event_count": 42
}GET /stats
Response:
{
"status": "running",
"event_count": 42,
"stored_files": 42,
"total_size_bytes": 1024000,
"storage_dir": "C:\\workspace\\audit_logs"
}# Send event
curl -X POST http://localhost:8088/services/collector/event \
-H "Authorization: Splunk your-hec-token-here" \
-H "Content-Type: application/json" \
-d '{
"event": {
"action": "test",
"message": "Test event"
}
}'
# Health check
curl http://localhost:8088/services/collector/health
# View statistics
curl http://localhost:8088/stats# Send event
$headers = @{
"Authorization" = "Splunk your-hec-token-here"
"Content-Type" = "application/json"
}
$body = @{
event = @{
action = "test"
message = "Test event"
}
} | ConvertTo-Json
Invoke-RestMethod -Uri "http://localhost:8088/services/collector/event" `
-Method Post -Headers $headers -Body $body
# Health check
Invoke-RestMethod -Uri "http://localhost:8088/services/collector/health"All received audit logs are saved in the audit_logs/ directory:
audit_logs/
├── 20251025_103045_a1b2c3d4-e5f6-7890-abcd-ef1234567890.json
├── 20251025_103046_b2c3d4e5-f6a7-8901-bcde-f12345678901.json
└── ...
Each file contains complete event information:
{
"event_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"timestamp": "2025-10-25T10:30:45.123456",
"source_ip": "192.168.1.100",
"event_data": {
"event": {
"action": "user.login",
"user": "john@example.com"
}
}
}# Using OpenSSL
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout key.pem -out cert.pem -days 365 \
-subj "/CN=localhost"In Windows PowerShell:
# Using New-SelfSignedCertificate
$cert = New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\CurrentUser\My"In splunk_simulator.py:
ENABLE_SSL = True
SSL_CERT_FILE = "cert.pem"
SSL_KEY_FILE = "key.pem"In audit log system:
- Domain:
localhost - Port:
8088 - Token:
your-hec-token-here - Enable SSL verification: ✅ Check (or uncheck when using self-signed certificate)
PORT = 8088 # Change to other port, e.g. 9088STORAGE_DIR = Path("audit_logs") # Change to other directoryMAX_PAYLOAD_SIZE = 50 * 1024 * 1024 # 50MB, can be adjustedDefault configuration HOST = "0.0.0.0" allows access from all network interfaces.
To allow local access only:
HOST = "127.0.0.1"Error Response:
{
"text": "Invalid authorization",
"code": 3,
"invalid-event-number": 0
}Solution:
- Check if the configured Token is in
VALID_TOKENS - Confirm request header format:
Authorization: Splunk <token>
Error Message: OSError: [Errno 48] Address already in use
Solution:
- Change
PORTconfiguration to another port - Or stop other services using port 8088
Error Response:
{
"text": "Invalid JSON",
"code": 6,
"invalid-event-number": 0
}Solution:
- Confirm sent data is valid JSON format
- Check if Content-Type is
application/json
Service runtime logs are output to console in real-time:
2025-10-25 10:30:45 - __main__ - INFO - Audit log storage directory: C:\workspace\audit_logs
2025-10-25 10:30:45 - __main__ - INFO - Configured valid tokens: 3
2025-10-25 10:30:45 - __main__ - INFO - Splunk HEC Simulator Started
2025-10-25 10:31:20 - __main__ - INFO - Saved event a1b2c3d4... to 20251025_103120_a1b2c3d4.json
2025-10-25 10:31:20 - __main__ - INFO - Successfully processed 1 events, source: 192.168.1.100