All Apps and Add-ons

SSL Checker - Inaccurate Dashboard Results

bill_king
Path Finder

I have installed the latest version of SSL checker on our Search Head that is running Enterprise 7.3.3. The associated dashboard works as intended except when I update and/or remove certs the dashboard does not refresh (still showing old certs that no longer reside on the search head). I have performed reload exec, debug refresh, and restarted the server with no success at resolving the issue. Within the manual setup portion of the app I also reduced the list of certs to monitor to just one.  Even after does all the same above troubleshooting actions the SSL Dashboard is still showing all the previous monitored certs to include those that have since been removed or updated on the server.  Please advise what other troubleshooting steps I should try.    @jkat54 

Labels (1)
Tags (1)
1 Solution

jkat54
SplunkTrust
SplunkTrust

Hey,

It looks like the webui "settings" page is broken in relation to the automated input.

however, it will run every night at midnight by default.

also, you can update the inputs.conf [script....ssl_checker3.py] with a crontab expression or number in seconds for the "interval" .  And then restart splunk to make the new config live.

 

 

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hello!

the dashboard was meant to be an example that you would study and modify.  

it looks like I used stats values(date) by cert... 

try changing  that to latest(date) instead And if thats doesnt work, please paste the search you have here and we'll fix you right up.

bill_king
Path Finder

I found the issue; the query uses all time by default to research for cert data which would make sense why the dashboard displays certs that no longer exist.  Interesting enough for testing purposes I changed the query for the last 24 hours and the correct data is displayed.  But then I set the app cron job to run every minute (again for testing newly added cert monitoring paths and rebooted server before re-running SSL cert dashboard) running for same search for the last 5 minutes returns nothing. 

jkat54
SplunkTrust
SplunkTrust

First, please change values(fieldName) to latest(fieldName) in my stats command where fieldName is whatever I used for the expiration date field name.

2nd; it could be taking a moment for the script to run.  Maybe every minute is a little much.  Try at minimum every 5 minutes... unless you're running it on a single core raspberry py or something... then maybe minimum of 15minutes +.

 

 

bill_king
Path Finder

Thank you.  The app is working on one of our search heads.  Automagic SSL Checker Input Configuration isn't working but Manual SSL Checker Input Configuration is.  

jkat54
SplunkTrust
SplunkTrust

I'll be deploying for someone next week and will let you know if I find any bugs.  Thanks!

glad it works in some capacity!  It'll save you so much trouble!

youll want it everywhere you use kvstore too (typically used by input apps on heavy forwarders) and when server.pem expires your dbconnect and whatever else that relies on it will fail too.

jkat54
SplunkTrust
SplunkTrust

Hey,

It looks like the webui "settings" page is broken in relation to the automated input.

however, it will run every night at midnight by default.

also, you can update the inputs.conf [script....ssl_checker3.py] with a crontab expression or number in seconds for the "interval" .  And then restart splunk to make the new config live.

 

 

0 Karma

bill_king
Path Finder

greetings - I thought that may be the case with just leaving the default auto SSL cert detection option enabled and waited overnight  though it still did not work for me.  Though I am using python2 whereas you mentioned using python3 so perhaps that could be the issue/difference?  I realize that the install includes scripts for both versions of python.  

jkat54
SplunkTrust
SplunkTrust

Actually the v2 and v3 of the script are the manual (v2) versus the automated (v3) version.

both are python2 and 3 compatible.

do you have enabled=true?

you can use the btool command line argument to debug your config

/opt/splunk/bin/splunk btool inputs script --debug | grep ssl

Or on windows

splunk.exe btool inputs script --debug | findstr ssl

0 Karma

bill_king
Path Finder

That makes sense; thank you.  Auto ssl checker is set as true in the app input.con file. All other options are set as false in the same file.  

#linux automated ssl checker
[script://./bin/ssl_checker3.py]
interval = 0 0 * * *
index = main
sourcetype = ssl_certs
disabled = 0

0 Karma

jkat54
SplunkTrust
SplunkTrust

disabled = 0 is what I meant not enabled = true.

i always get that mixed up in my head.

well then something else is happening on your end if it's not checking the certs at midnight every day (server time).

can you check this search for me?

index=_internal sourcetype=splunk_python

maybe it will show us an exception that is occurring 

 

0 Karma

bill_king
Path Finder

no results returned for:  index=_internal sourcetype=splunk_python

jkat54
SplunkTrust
SplunkTrust

how about

 

index=_internal log_level=err* OR log_level=warn*

0 Karma

bill_king
Path Finder

index=_internal ssl_checker source=*splunkd.log host="lpul-splunkapp1" returns the attached events

I'm thinking the syntax error may be the likely source of the problem.

 

jkat54
SplunkTrust
SplunkTrust

Oh dang, looks like you got a copy of 4.0.0 not 4.0.1 where I corrected that.

0 Karma

bill_king
Path Finder

hello - I have been using version 4.0.1 (dated 7 August on Splunkbase)

jkat54
SplunkTrust
SplunkTrust

I just downloaded and checked bin/ssl_checkerv3.py and the import function is at the top of the page. 

maybe you got some hybrid version!?

im about to fix the setup page and example dashboard for 4.02.  I'll let you know when it's available.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Ok  try 4.0.2 and let me know 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...