topic Re: Windows scripted input using output from splunk openssl command? in Getting Data In

Windows scripted input using output from splunk openssl command?

Lucas_K — Tue, 29 Sep 2020 09:36:37 GMT

Does anyone have a nice windows scripted input that will output the local certificate end date?

ie. something like

inputs.conf
[script://.\bin\ssl_check.bat]
disabled = false
index = ssl_check
interval = -1
sourcetype = ssl_check

ssl_check.bat
"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem"

My problem is that the windows openssl opens its own little window and doesn't output to stdout. As such there isn't any text for the input to grab.

edit: i've tried numerous x509 parameters but nothing seens to want to output a text version of the certificate to a file. All the -out or -text options only output to the spawned console which can't be grabbed.

We need this to verify remediation work.

Re: Windows scripted input using output from splunk openssl command?

Richfez — Fri, 06 May 2016 00:09:06 GMT

Have you tried a simple

blah my command > outputfilename.txt

That should redirect the entire pile of output to a text file called outputfilename.txt.

Re: Windows scripted input using output from splunk openssl command?

Lucas_K — Fri, 06 May 2016 05:19:00 GMT

Its not a unix box. Its windows.

Please try what your suggesting on a windows machine and seeing what happens. 😉

Re: Windows scripted input using output from splunk openssl command?

Lucas_K — Tue, 29 Sep 2020 09:36:43 GMT

I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.

Below is my scripted input

inputs.conf

[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca

ssl_check_ca.bat

@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%

It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.

2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"

Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.

Re: Windows scripted input using output from splunk openssl command?

Richfez — Sat, 07 May 2016 02:10:29 GMT

Interesting! Glad you got it sorted.

For future reference, I checked a bit more and the key was to run the cmd prompt in Administrator mode.

C:\Users\MyUser>"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem" >output.txt

C:\Users\MyUser>type output.txt
notAfter=May  8 19:51:37 2025 GMT

Which matches what I get when I run yours

C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf

C:\Users\MyUser>type output.txt
notAfter=May  8 19:51:37 2025 GMT

Actually, you'll notice when I run it not as a Splunk cmd there's something missing in the config settings (probably an environment variable), causing a WARNING to be spit out on STDERR. You could capture that too, because though CMD isn't quite as robust of fully featured as even sh, it DOES support a lot of stuff folks don't know about. The key there is to redirect to a file, then tell CMD to redirect stderr (2) to the same place as stdoutput (1), with this tagged on the end: 2>&1, like

C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt 2>&1

C:\Users\MyUser>type cacert.txt
notAfter=May  8 19:51:37 2025 GMT
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf

Of course, you probably do NOT actually want to save that warning output. 🙂

Re: Windows scripted input using output from splunk openssl command?

Lucas_K — Tue, 10 May 2016 23:26:07 GMT

Thanks. yeah on the machines I tried it on i couldn't get the splunk cmd openssl output to redirect to a file using the ">". Not sure if it was a windows 10 issue. Directly calling the openssl was the way that it worked in the end.