Getting Data In

Windows scripted input using output from splunk openssl command?

Lucas_K
Motivator

Does anyone have a nice windows scripted input that will output the local certificate end date?

ie. something like

inputs.conf
[script://.\bin\ssl_check.bat]
disabled = false
index = ssl_check
interval = -1
sourcetype = ssl_check

ssl_check.bat
"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem"

My problem is that the windows openssl opens its own little window and doesn't output to stdout. As such there isn't any text for the input to grab.

alt text

edit: i've tried numerous x509 parameters but nothing seens to want to output a text version of the certificate to a file. All the -out or -text options only output to the spawned console which can't be grabbed.

We need this to verify remediation work.

0 Karma
1 Solution

Lucas_K
Motivator

I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.

Below is my scripted input

inputs.conf

[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca

ssl_check_ca.bat

@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%

It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.

2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"

Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.

View solution in original post

0 Karma

Lucas_K
Motivator

I've figured out a way to do it by calling the binary directly and not the "splunk cmd" method.

Below is my scripted input

inputs.conf

[script://.\bin\ssl_check_ca.bat]
disabled = false
index = sos
interval = 86400
sourcetype = ssl_check_ca

ssl_check_ca.bat

@echo off
For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a:%%b)
"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
set /p VV=<cacert.txt
For /f "tokens=1-6 delims=/ " %%a in ('echo %VV%') do (set enddate=%%a="%%b %%c %%d %%e %%f")
echo %mydate% %mytime%, ssl_cert=cacert.pem, %enddate%

It is a start and provides a nice mostly clean output like the following which is good enough for what it needs to do.

2016-06-05 03:19 PM, ssl_cert=cacert.pem, notAfter="Jul 21 17:12:19 2016 GMT"

Note: this doesn't do ANY path validation so it just assumes a default installation directory.
This has only been run on windows 10 so I still need to validate it against other versions of windows.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Have you tried a simple

blah my command > outputfilename.txt

That should redirect the entire pile of output to a text file called outputfilename.txt.

0 Karma

Lucas_K
Motivator

Its not a unix box. Its windows.

Please try what your suggesting on a windows machine and seeing what happens. 😉

0 Karma

Richfez
SplunkTrust
SplunkTrust

Interesting! Glad you got it sorted.

For future reference, I checked a bit more and the key was to run the cmd prompt in Administrator mode.

C:\Users\MyUser>"C:\program files\SplunkUniversalForwarder\bin\splunk" cmd openssl x509 -enddate -noout -in "C:\program files\SplunkUniversalForwarder\etc\auth\ca.pem" >output.txt

C:\Users\MyUser>type output.txt
notAfter=May  8 19:51:37 2025 GMT

Which matches what I get when I run yours

C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf

C:\Users\MyUser>type output.txt
notAfter=May  8 19:51:37 2025 GMT

Actually, you'll notice when I run it not as a Splunk cmd there's something missing in the config settings (probably an environment variable), causing a WARNING to be spit out on STDERR. You could capture that too, because though CMD isn't quite as robust of fully featured as even sh, it DOES support a lot of stuff folks don't know about. The key there is to redirect to a file, then tell CMD to redirect stderr (2) to the same place as stdoutput (1), with this tagged on the end: 2>&1, like

C:\Users\MyUser>"C:\Program Files\SplunkUniversalForwarder\bin\openssl" x509 -enddate -noout -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" >cacert.txt 2>&1

C:\Users\MyUser>type cacert.txt
notAfter=May  8 19:51:37 2025 GMT
WARNING: can't open config file: C:\\wrangler-2.0\\build-home\\ember/ssl/openssl.cnf

Of course, you probably do NOT actually want to save that warning output. 🙂

Lucas_K
Motivator

Thanks. yeah on the machines I tried it on i couldn't get the splunk cmd openssl output to redirect to a file using the ">". Not sure if it was a windows 10 issue. Directly calling the openssl was the way that it worked in the end.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...