Mulesoft + Splunk

Introduction

This is yet another blog on Mulesoft and Splunk. If you are already aware of it you can happily skip this article. It's basically for the newbies.

Splunk Installation

We will use a local setup of Splunk using Docker. Use this documentation for the Splunk installation.

After downloading the docker image execute the below command.

$ docker run -p 8000:8000 -p 8088:8088 \
-e “SPLUNK_PASSWORD=admin1234” \
-e “SPLUNK_START_ARGS= — accept-license” \
 — name splunk \
-d splunk/splunk:latest

Note that we are exposing ports 8000 and 8088.

8000: The Splunk administration portal
8088: The HTTP event collector endpoint

Splunk Configuration

I will configure a quick setup for Splunk. Check the below steps.

Login to Splunk

Browse to the address, https://localhost:8000

Enter the credentials:

Login: admin
Password: admin1234

Note that when we initiated the docker container we used this password for our Splunk instance.

Login

Data Input

Now, let's configure a Data Input.

Add an HTTP Event Collector (HEC).

HEC

Give any nice name you want:

HEC

Choose an Index. I have chosen the main index for this demo.

And we are done. We can view our HECs created along with the token.

Click Global Settings to verify if the SSL button is checked. We are going to use the SSL endpoint.

Testing the Splunk Setup

Information regarding all the endpoints of HEC can be found in the official Splunk documentation.

Below is the curl command to send a demo payload to the HEC.

curl -kv --location --request POST 'https://localhost:8088/services/collector/raw' \
--header 'Authorization: Splunk 265490c5-e0df-4d56-9936-3c5903e1f04b' \
--header 'Content-Type: application/json' \
--data-raw '{
    "msg": "Hello Buddy"
}'

Note that in Authorization header we are sending the token with a Splunk prefix.

Now, let's check the Splunk side. I made a query on index main and I got some results.

main

Cool!

Splunk HTTPS HEC

Now, we need to download the SSL certificate of our HEC endpoint.

Download the certificates

Open the link https://localhost:8088/services/collector/raw in Firefox and download the certificate. Below is a screenshot of the certificate.

certi

Take note of the Common Name SplunkServerDefaultCert

Create truststore

Create a trust store with the certificate downloaded in the previous step using the below command:

keytool -keystore truststore.jks -alias splunk -import -file splunkserverdefaultcert.pem

It will ask to provide a password for the truststore.jks.

Configure hosts file

Open your /etc/hosts file and add the SplunkServerDefaultCert pointing to 127.0.0.1

Configure log4j2.xml in the Mule app

Create a Mule application and add the below configuration in log4j2.xml

Note that we are using the URL:

https://SplunkServerDefaultCert:8088/services/collector/raw

Also, we are using the truststore.jks created in earlier steps.

And that's all.

Testing the Mule App

Running the application from Anypoint Studio might throw some errors. The best way is to export the application and deploy it from a local Mule runtime.

As the application is getting deployed you can see all the logs in Splunk.

Conclusion

In this short article, I have explained how you can set up a local Splunk and integrate it with MuleSoft. In fact, not with only MuleSoft applications, you can integrate with any other services.

Happy learning cheers!!!!!