I'm trying to get the SOC SSL Framework app working, but just nothing is happening.
How do I start to debug this?
You need to have a
ssl_framework index, or override the destination of the logged events by creating your own
savedsearches.conf in the /local directory of the app.
You can manually trigger a report with the command:
/opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/SOCPrimeSSLFramework/bin/ssl-framework-report.py -c /opt/splunk/etc/apps/SOCPrimeSSLFramework/default/sslframework.conf
You can monitor the reporting progress by following the app's own logfile:
tail -f /opt/splunk/etc/apps/SOCPrimeSSLFramework/bin/ssl-framework-report.log
It seems to take 2-3 minutes per server for the report to be generated. After the scan is finished then an output file is written to
/opt/splunk/etc/apps/SOCPrimeSSLFramework/reports. I found that after the initial install, the app didn't schedule a scan until around 12 hours later, so the dashboard was blank unless I manually ran a report using the command above.
Application error events are in the splunkd.log, you can monitor for them by watching:
tail -f /opt/splunk/var/log/splunk/splunkd.log | grep SOCPrimeSSLFramework
You can also do this through the Splunk search interface, by using the search
index=_internal SOCPrimeSSLFramework and then filtering your results as needed.
Hi PHanton, During 1 day your domains will be scanned and data from SSL labs could be pushed into your splunk. Also pls check python requirements (in install guide). You can manualy start script and collect data from comand line:
python $SPLUNK_HOME/etc/apps/SOCPrimeSSLFramework/bin/ssl-framework-report.py -c '$SPLUNK_HOME/etc/apps/SOCPrimeSSLFramework/default/sslframework.conf'
If you have more questions pls mail to email@example.com
using Splunk 6.4