How do I send data from Java to Splunk using SSL c...

markmaple · ‎04-06-2015

I am trying to send data from a Java program on one machine to Splunk on another machine using SSL. I have it working it using a regular Java socket, but not with an SSL socket.

In the Java code:

TrustManager[] allowAllCerts = new TrustManager[] { new X509TrustManager() {

    @Override
    public void checkClientTrusted(final X509Certificate[] chain, final String authType) {
 }

    @Override
    public void checkServerTrusted(final X509Certificate[] chain, final String authType) {
 }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

} };

String trustStore = "C:/Users/mwmapl/Misc/AWE/truststore.ts";
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword", "password");

try {

// Install the all-trusting trust manager
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, allowAllCerts, new java.security.SecureRandom());

} catch(KeyManagementException e) {
e.printStackTrace();
} catch(NoSuchAlgorithmException e) {
e.printStackTrace();
}

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();

socket = factory.createSocket(hostname, port);

pwsock = new PrintWriter(socket.getOutputStream());

pwsock.println(messageToSend);
pwsock.close();
socket.close();

In the Splunk file (Splunk\etc\system\local\inputs\inputs.conf):

[default]
host = 95D10012928

[tcp-ssl:8100]
disabled = 0

[SSL]
password = $1$S7P49guHmKbl
requireClientCert = false
rootCA = C:/Program Files/Splunk/etc/auth/cacert.pem
serverCert = C:/Program Files/Splunk/etc/auth/server.pem

splunkd.log

During restart of splunk:
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Instance not running as slave. Will disable replication data receiver.
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Instance not running as slave. Will disable replication data receiver.
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Initializing
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Initializing
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - creating tcp pipelineData queue
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - readConfig - clearing maps
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - readConfig - scanning configs
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputConfig - global prop rdnsMaxDutyCycle=10
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop enables2sHeartbeat=true
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop s2skeepaliveTimeout=600
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop inputShutdownTimeout=15
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop stopAcceptorAfterSeconds=300
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop negotiateNewProtocol=1
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop concurrentChannelLimit=300
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop aggregate_metrics=0 suppress_derived_info=0
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - Key file password requires decrypting
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _serverCert=C:\Program Files\Splunk/etc/auth/server.pem
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _rootCA=C:\Program Files\Splunk/etc/auth/cacert.pem
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _ecdhCurveName=
04-06-2015 15:40:01.597 -0400 INFO TcpInputConfig - SSL supported versions=SSL3,TLS1.0,TLS1.1,TLS1.2
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _dhfile=
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _requireClientCert=0
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _quietShutdown=0
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 is reserved for raw input
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 will negotiate new-s2s protocol
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8102 is reserved for raw input
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8102 will negotiate new-s2s protocol
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 is reserved for raw input (SSL)
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 will negotiate new-s2s protocol
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - createAcceptor - creating acceptor for IPv4 port 8100
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - Initing raw Acceptor for IPv4 port 8100 with SSL
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - createAcceptor - creating acceptor for IPv4 port 8102
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - Initing raw Acceptor for IPv4 port 8102 with Non-SSL
04-06-2015 15:40:01.611 -0400 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
04-06-2015 15:40:01.611 -0400 INFO PipelineComponent - Pipeline structuredparsing disabled in default-mode.conf file

Any help would be greatly appreciated.

somesoni2 · ‎04-06-2015

See if this helps you.. http://answers.splunk.com/answers/121089/splunk-net-sdk-steps-for-connecting-to-splunk-instance-usin...

How do I send data from Java to Splunk using SSL connection?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation