https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751610#M22879 <P>This addon is a bit different. As I understand it from the description, it doesn't check Splunk's own certs, but connects to a given endpoint on the network and checks the cert presented there. It's kinda like check_ssl in Nagios.</P> Thu, 14 Aug 2025 06:19:14 GMT PickleRick 2025-08-14T06:19:14Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751579#M22869 <P>We are in the process of updating the certificates and we go manually to check each one via the browser whether the certificate truly expires next year, is this information in _internal, by any chance?</P> Wed, 13 Aug 2025 16:38:28 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751579#M22869 danielbb 2025-08-13T16:38:28Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751584#M22870 <P class=""><SPAN class=""><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;No, </SPAN><SPAN class="">_internal</SPAN><SPAN class=""> does not proactively report certificate expiration dates.</SPAN><SPAN class=""> It only logs SSL errors after certificates have already expired, which is too late for proactive monitoring.</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN></SPAN><SPAN class="">What </SPAN><SPAN class="">_internal</SPAN><SPAN class=""> shows:</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN>index=_internal sourcetype=splunkd component=TcpInputProc log_level=ERROR "SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired"</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN>This only appears after the cert has expired.</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN></SPAN><SPAN class="">For On-Prem: may be&nbsp;create a scripted input to check certificate expiration and monitor?</SPAN><SPAN class=""><SPAN class="">&nbsp;&nbsp;</SPAN></SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN></SPAN><SPAN class="">#!/bin/bash</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN></SPAN><SPAN class=""># Script to check cert expiration</SPAN></P><P class=""><SPAN class=""><SPAN class="">&nbsp; </SPAN>openssl x509 -enddate -noout -</SPAN><SPAN class="">in</SPAN><SPAN class=""> /path/to/cert.pem<BR /><BR /><BR /><BR />If this Helps, Please Upvote</SPAN></P> Wed, 13 Aug 2025 20:28:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751584#M22870 sainag_splunk 2025-08-13T20:28:41Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751585#M22871 <P>Hi there,</P><P>Short answer is no, but you could create a scripted input using this command&nbsp;<A href="https://community.splunk.com/t5/Security/Check-HTTPS-certifciates/m-p/145539/highlight/true#M4466" target="_blank">https://community.splunk.com/t5/Security/Check-HTTPS-certifciates/m-p/145539/highlight/true#M4466</A>&nbsp;and get this indexed into _internal</P><P>&nbsp;</P><P>Hope this helps ...</P><P>Cheers, MuS</P> Wed, 13 Aug 2025 20:32:12 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751585#M22871 MuS 2025-08-13T20:32:12Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751586#M22872 <P>Yup. It is possible by means of scripted input. I did something like that once. Two versions - one in PS to handle windows machines, another to list certs on unices. If your certs are in static places, that should be relatively easy. The problem starts when you want to list all certs Splunk uses in its configs and get info from all of them - it requires more scripting.</P> Wed, 13 Aug 2025 21:04:23 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751586#M22872 PickleRick 2025-08-13T21:04:23Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751602#M22874 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;</P><P>No, Splunk _internal does not proactively log certificate expiration details.</P><P>As others have mentioned, you can use a scripted <STRONG>input</STRONG> or third-party <STRONG>add-on</STRONG>, which is easy to configure and can help you proactively monitor and manage SSL certificate renewals.</P><P><STRONG>Add-on</STRONG> - #<A href="https://splunkbase.splunk.com/app/6475" target="_blank">https://splunkbase.splunk.com/app/6475</A></P><P>Regards,<BR />Prewin<BR />Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Thu, 14 Aug 2025 04:33:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751602#M22874 PrewinThomas 2025-08-14T04:33:17Z https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751610#M22879 <P>This addon is a bit different. As I understand it from the description, it doesn't check Splunk's own certs, but connects to a given endpoint on the network and checks the cert presented there. It's kinda like check_ssl in Nagios.</P> Thu, 14 Aug 2025 06:19:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/Does-internal-report-the-expiration-date-of-the-certificate/m-p/751610#M22879 PickleRick 2025-08-14T06:19:14Z