All Apps and Add-ons

Stream Splunk_SSLActivity - no common name

johnansett
Communicator

Hello! I have deployed Splunk Stream v7.1.3 and configured to collect Splunk_SSLActivity.

Events are coming through but the SSL Activity Informational Dashboards do not work.

Other dashboards/events are fine (e.g. HTTP, DNS), but when I look at the Splunk_SSLActivity data there is no common name/domain name.
I do have a field "ssl_subject" which sometimes contains CN = *.site.com OR CN = SplunkDefaultCert. In some events there is just "CN":

C = US, postalCode = 90000, ST = California, L = Newport, street = 1 PCH, O = Splunk, OU = Information Security, OU = Issued through Splunk, OU = InstantSSL Pro, CN

It looks like the app is expecting a field which isn't extracted, although both TA and App is installed (this is SplunkCloud) and the data is forwarded directly from Win and Linux hosts UF -> SplunkCloud.

I'm not sure if I can totally trust the data and while I can extract the field to match dashboard I am more concerned about WHY it's not working.

Any tips would be greatly appreciated!!

Thanks

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!