Send data to Splunk via an authenticated TCP Input

Wow , my second blog in 24 hrs about Protocol Data Inputs(PDI) , but sometimes you just infected with ideas and have to roll with it.

So my latest headbump is about sending text or binary data to Splunk over raw TCP and authenticating access to that TCP input.Simple to accomplish with PDI.

Setup a PDI stanza to listen for TCP requests

PDI has many options , but for this simple example you only need to choose the protocol(TCP) and a port number.

Screen Shot 2016-07-30 at 3.31.08 PM

Declare a custom handler to authenticate the received data

You can see this above in the Custom Data Handler section.I have declared the handler and  the authentication token that the handler should use via a JSON properties string that gets passed to the handler when everything instantiates.This JSON properties string can be any format that you want because your custom data handler that you code will have the logic for processing it.

The approach I used for the authentication is deliberately trivial , but it’s just an example :

1) received data is expected to be in the format : token=yourtoken,body=somedata
2) data is received and token is checked. If token matches , data from the body field is indexed , otherwise the data is dropped and an error is logged.

Here is the source if you are interested.

Handlers can be written in numerous JVM languages and then applied by simply declaring them in your PDI stanza as above and putting the code in the protocol_ta/bin/datahandlers directory, there are more template examples here.

Send some test data to Splunk

I just wrote a simple Python script to send some data to Splunk over raw TCP in the payload format that the authentication handler is expecting.

Screen Shot 2016-07-30 at 3.30.31 PM

Search for the data in Splunk

Screen Shot 2016-07-31 at 11.42.38 AM


If the token authentication fails , the data is dropped and an error is logged in Splunk.

Screen Shot 2016-07-30 at 4.06.39 PM

And that’s it. Pretty simple to roll your own token auth handler and make your TCP inputs that much more secure.

Note : TCP was used for this example , but this exact same handler will work with any of the PDI protocol options , just choose another protocol and you’re off to the races !

Screen Shot 2016-07-30 at 3.53.49 PM

One Trackback

  1. […] Send data to Splunk via an authenticated TCP Input (Damien Dallimore) […]