Security

How can I use Splunk (or Splunk ES) to track the expiry date of all the certificates we use?

New Member

Hello
I need to design a report in Splunk that tracks expiry dates of all the SSL certificates used by different applications on different servers. [This is not about the certificate used by Splunk itself]. As far as I know, SSL certificate info is not streamed to Splunk. Rather, they are kept in files grouped into designated folders on each servers. Is there anyway to make Splunk access these data and generate the requested report. The report part is the easier part here. The challenge is to make the certificate information available to Splunk. Does the 'Certificate Datamodel' help here?

Thanks.

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

View solution in original post

New Member

Thanks Bob for the detailed response.

0 Karma

Communicator

I think he is Rob. 🙂

0 Karma

Splunk Employee
Splunk Employee

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

View solution in original post

Communicator

This will save some lifes.

0 Karma