Monitoring Splunk

Monitoring own certificates- Is there is a reasonable built-in way to get details of certificates in environment?

PickleRick
SplunkTrust
SplunkTrust

Hello.

I'm wondering if there is a reasonable built-in way to get details of certificates used across the splunk environment.

I have several indexers, some search-heads, many forwarders. And all the traffic is encrypted and authenticated with certificates. With several dozens (or even hundreds) of certificates it's obviously hard to track by hand which certs expire when and I'm sometimes getting into an annoying situation when a UF stops forwarding becaues it's no longer authenticated by the HFs, because its cert had just expired.

I could of course prepare a completely external script which would run, let's say, once a day, do quick scan over the config files, find the certificate-related directives, extract the relevant data from the certificates and report it into some file that I'd later ingest to splunk. Other approach would be to do without the intermediate log file as scripted input but it boils down to the same thing.

It's possible but it's kinda inconvenient since I'd have to prepare two separate versions of such tool (one for linuxes, one for windows), I'd have to maintain such solution separately. And I'm not a big PowerShell pro so it'd be a bit of a challenge for me to prepare the script for windows.

Hence the question if splunk can report such details on its own. I didn't find anything useful so far but maybe I missed something.

Labels (1)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are apps for that, including SSL Certificate Checker (https://splunkbase.splunk.com/app/3172/).

---
If this reply helps you, Karma would be appreciated.

PickleRick
SplunkTrust
SplunkTrust

Unfortunately, due to python requirement "Doesnt work on Universal Forwarders / Light Forwarders". And it's this part that's most important to me because all the "main" linux-based components I can "comb" with ansible or similar tool once every few weeks and be relatively safe. It's the windows forwarders that generate most of the pain (yes, I didn't write it in the opening post).

Judging from the description it does mostly what I described - runs openssl command to dump cert info and stores that into an index so my train of thought was quite good.

I must admit though I don't have the habit of checking the existing apps yet.

Thanks all the same. 🙂

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...