All Apps and Add-ons

SSL Checker - Inaccurate Dashboard Results

Explorer

I have installed the latest version of SSL checker on our Search Head that is running Enterprise 7.3.3. The associated dashboard works as intended except when I update and/or remove certs the dashboard does not refresh (still showing old certs that no longer reside on the search head). I have performed reload exec, debug refresh, and restarted the server with no success at resolving the issue. Within the manual setup portion of the app I also reduced the list of certs to monitor to just one.  Even after does all the same above troubleshooting actions the SSL Dashboard is still showing all the previous monitored certs to include those that have since been removed or updated on the server.  Please advise what other troubleshooting steps I should try.    @jkat54 

Labels (1)
Tags (1)
1 Solution

SplunkTrust
SplunkTrust

Hey,

It looks like the webui "settings" page is broken in relation to the automated input.

however, it will run every night at midnight by default.

also, you can update the inputs.conf [script....ssl_checker3.py] with a crontab expression or number in seconds for the "interval" .  And then restart splunk to make the new config live.

 

 

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hello!

the dashboard was meant to be an example that you would study and modify.  

it looks like I used stats values(date) by cert... 

try changing  that to latest(date) instead And if thats doesnt work, please paste the search you have here and we'll fix you right up.

Explorer

I found the issue; the query uses all time by default to research for cert data which would make sense why the dashboard displays certs that no longer exist.  Interesting enough for testing purposes I changed the query for the last 24 hours and the correct data is displayed.  But then I set the app cron job to run every minute (again for testing newly added cert monitoring paths and rebooted server before re-running SSL cert dashboard) running for same search for the last 5 minutes returns nothing. 

SplunkTrust
SplunkTrust

First, please change values(fieldName) to latest(fieldName) in my stats command where fieldName is whatever I used for the expiration date field name.

2nd; it could be taking a moment for the script to run.  Maybe every minute is a little much.  Try at minimum every 5 minutes... unless you're running it on a single core raspberry py or something... then maybe minimum of 15minutes +.

 

 

Explorer

Thank you.  The app is working on one of our search heads.  Automagic SSL Checker Input Configuration isn't working but Manual SSL Checker Input Configuration is.  

SplunkTrust
SplunkTrust

I'll be deploying for someone next week and will let you know if I find any bugs.  Thanks!

glad it works in some capacity!  It'll save you so much trouble!

youll want it everywhere you use kvstore too (typically used by input apps on heavy forwarders) and when server.pem expires your dbconnect and whatever else that relies on it will fail too.

SplunkTrust
SplunkTrust

Hey,

It looks like the webui "settings" page is broken in relation to the automated input.

however, it will run every night at midnight by default.

also, you can update the inputs.conf [script....ssl_checker3.py] with a crontab expression or number in seconds for the "interval" .  And then restart splunk to make the new config live.

 

 

View solution in original post

0 Karma

Explorer

greetings - I thought that may be the case with just leaving the default auto SSL cert detection option enabled and waited overnight  though it still did not work for me.  Though I am using python2 whereas you mentioned using python3 so perhaps that could be the issue/difference?  I realize that the install includes scripts for both versions of python.  

SplunkTrust
SplunkTrust

Actually the v2 and v3 of the script are the manual (v2) versus the automated (v3) version.

both are python2 and 3 compatible.

do you have enabled=true?

you can use the btool command line argument to debug your config

/opt/splunk/bin/splunk btool inputs script --debug | grep ssl

Or on windows

splunk.exe btool inputs script --debug | findstr ssl

0 Karma

Explorer

That makes sense; thank you.  Auto ssl checker is set as true in the app input.con file. All other options are set as false in the same file.  

#linux automated ssl checker
[script://./bin/ssl_checker3.py]
interval = 0 0 * * *
index = main
sourcetype = ssl_certs
disabled = 0

0 Karma

SplunkTrust
SplunkTrust

disabled = 0 is what I meant not enabled = true.

i always get that mixed up in my head.

well then something else is happening on your end if it's not checking the certs at midnight every day (server time).

can you check this search for me?

index=_internal sourcetype=splunk_python

maybe it will show us an exception that is occurring 

 

0 Karma

Explorer

no results returned for:  index=_internal sourcetype=splunk_python

SplunkTrust
SplunkTrust

how about

 

index=_internal log_level=err* OR log_level=warn*

0 Karma

Explorer

index=_internal ssl_checker source=*splunkd.log host="lpul-splunkapp1" returns the attached events

I'm thinking the syntax error may be the likely source of the problem.

 

SplunkTrust
SplunkTrust

Oh dang, looks like you got a copy of 4.0.0 not 4.0.1 where I corrected that.

0 Karma

Explorer

hello - I have been using version 4.0.1 (dated 7 August on Splunkbase)

SplunkTrust
SplunkTrust

I just downloaded and checked bin/ssl_checkerv3.py and the import function is at the top of the page. 

maybe you got some hybrid version!?

im about to fix the setup page and example dashboard for 4.02.  I'll let you know when it's available.

0 Karma

SplunkTrust
SplunkTrust

Ok  try 4.0.2 and let me know 

0 Karma