Does anyone have a nice windows scripted input that will output the local certificate end date?
ie. something like
inputs.conf
[script://.\bin\ssl_check.bat]
disabled = false
index = ssl_check
interval = -1
sourcetype = ssl_check
ssl_check.bat
"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem"
My problem is that the windows openssl opens its own little window and doesn't output to stdout. As such there isn't any text for the input to grab.
edit: i've tried numerous x509 parameters but nothing seens to want to output a text version of the certificate to a file. All the -out or -text options only output to the spawned console which can't be grabbed.
We need this to verify remediation work.
I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.
Below is my scripted input
inputs.conf
[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca
ssl_check_ca.bat
@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%
It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.
2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"
Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.
I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.
Below is my scripted input
inputs.conf
[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca
ssl_check_ca.bat
@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%
It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.
2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"
Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.
Have you tried a simple
blah my command > outputfilename.txt
That should redirect the entire pile of output to a text file called outputfilename.txt.
Its not a unix box. Its windows.
Please try what your suggesting on a windows machine and seeing what happens. 😉
Interesting! Glad you got it sorted.
For future reference, I checked a bit more and the key was to run the cmd prompt in Administrator mode.
C:\Users\MyUser>"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem" >output.txt
C:\Users\MyUser>type output.txt
notAfter=May 8 19:51:37 2025 GMT
Which matches what I get when I run yours
C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf
C:\Users\MyUser>type output.txt
notAfter=May 8 19:51:37 2025 GMT
Actually, you'll notice when I run it not as a Splunk cmd there's something missing in the config settings (probably an environment variable), causing a WARNING to be spit out on STDERR. You could capture that too, because though CMD isn't quite as robust of fully featured as even sh, it DOES support a lot of stuff folks don't know about. The key there is to redirect to a file, then tell CMD to redirect stderr (2) to the same place as stdoutput (1), with this tagged on the end: 2>&1
, like
C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt 2>&1
C:\Users\MyUser>type cacert.txt
notAfter=May 8 19:51:37 2025 GMT
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf
Of course, you probably do NOT actually want to save that warning output. 🙂
Thanks. yeah on the machines I tried it on i couldn't get the splunk cmd openssl output to redirect to a file using the ">". Not sure if it was a windows 10 issue. Directly calling the openssl was the way that it worked in the end.