Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use Splunk (or Splunk ES) to track the expiry date of all the certificates we use?

aseid
New Member
‎10-01-2015 11:32 AM

Hello
I need to design a report in Splunk that tracks expiry dates of all the SSL certificates used by different applications on different servers. [This is not about the certificate used by Splunk itself]. As far as I know, SSL certificate info is not streamed to Splunk. Rather, they are kept in files grouped into designated folders on each servers. Is there anyway to make Splunk access these data and generate the requested report. The report part is the easier part here. The challenge is to make the certificate information available to Splunk. Does the 'Certificate Datamodel' help here?

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎10-01-2015 03:08 PM

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

View solution in original post

Reply
Solved! Jump to solution

aseid
New Member
‎10-02-2015 01:45 PM

Thanks Bob for the detailed response.

0 Karma
Reply
Solved! Jump to solution

season88481
Contributor
‎03-20-2019 07:12 PM

I think he is Rob. 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎10-01-2015 03:08 PM

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

Reply
Solved! Jump to solution

season88481
Contributor
‎03-20-2019 07:20 PM

This will save some lifes.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...