Security

How do I send data from Java to Splunk using SSL connection?

markmaple
New Member

I am trying to send data from a Java program on one machine to Splunk on another machine using SSL. I have it working it using a regular Java socket, but not with an SSL socket.

In the Java code:

TrustManager[] allowAllCerts = new TrustManager[] { new X509TrustManager() {

    @Override
    public void checkClientTrusted(final X509Certificate[] chain, final String authType) {
 }

    @Override
    public void checkServerTrusted(final X509Certificate[] chain, final String authType) {
 }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

} };

String trustStore = "C:/Users/mwmapl/Misc/AWE/truststore.ts";
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword", "password");

try {

// Install the all-trusting trust manager
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, allowAllCerts, new java.security.SecureRandom()); 

} catch(KeyManagementException e) {
e.printStackTrace();
} catch(NoSuchAlgorithmException e) {
e.printStackTrace();
}

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();

socket = factory.createSocket(hostname, port);

pwsock = new PrintWriter(socket.getOutputStream());

pwsock.println(messageToSend);
pwsock.close();
socket.close();

In the Splunk file (Splunk\etc\system\local\inputs\inputs.conf):

[default]
host = 95D10012928

[tcp-ssl:8100]
disabled = 0

[SSL]
password = $1$S7P49guHmKbl
requireClientCert = false
rootCA = C:/Program Files/Splunk/etc/auth/cacert.pem
serverCert = C:/Program Files/Splunk/etc/auth/server.pem

splunkd.log

During restart of splunk:
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Instance not running as slave. Will disable replication data receiver.
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Instance not running as slave. Will disable replication data receiver.
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Initializing
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - Initializing
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - creating tcp pipelineData queue
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - readConfig - clearing maps
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputProc - readConfig - scanning configs
04-06-2015 15:40:01.596 -0400 DEBUG TcpInputConfig - global prop rdnsMaxDutyCycle=10
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop enables2sHeartbeat=true
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop s2skeepaliveTimeout=600
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop inputShutdownTimeout=15
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop stopAcceptorAfterSeconds=300
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop negotiateNewProtocol=1
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop concurrentChannelLimit=300
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - global prop aggregate_metrics=0 suppress_derived_info=0
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - Key file password requires decrypting
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _serverCert=C:\Program Files\Splunk/etc/auth/server.pem
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _rootCA=C:\Program Files\Splunk/etc/auth/cacert.pem
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _ecdhCurveName=
04-06-2015 15:40:01.597 -0400 INFO TcpInputConfig - SSL supported versions=SSL3,TLS1.0,TLS1.1,TLS1.2
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _dhfile=
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _requireClientCert=0
04-06-2015 15:40:01.597 -0400 DEBUG TcpInputConfig - SSL _quietShutdown=0
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 is reserved for raw input
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 will negotiate new-s2s protocol
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8102 is reserved for raw input
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8102 will negotiate new-s2s protocol
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 is reserved for raw input (SSL)
04-06-2015 15:40:01.610 -0400 INFO TcpInputConfig - IPv4 port 8100 will negotiate new-s2s protocol
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - createAcceptor - creating acceptor for IPv4 port 8100
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - Initing raw Acceptor for IPv4 port 8100 with SSL
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - createAcceptor - creating acceptor for IPv4 port 8102
04-06-2015 15:40:01.611 -0400 DEBUG TcpInputProc - Initing raw Acceptor for IPv4 port 8102 with Non-SSL
04-06-2015 15:40:01.611 -0400 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
04-06-2015 15:40:01.611 -0400 INFO PipelineComponent - Pipeline structuredparsing disabled in default-mode.conf file

Any help would be greatly appreciated.

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...