Security

Is there a way to index SSL certificate (.cer) file using Universal Forwarder?

prakhersinghal
Explorer

Hello,
I have a certificate file that I want to index in Splunk. The file reside in "D:\somedir\name.cer"

I have tried to create a monitor stanza in inputs.conf but it's not showing up in Splunk.

[monitor://D:\somedir\name.cer]
sourcetype = CERTS
crcSalt = < SOURCE>
disabled = false
followTail = false
index = CERT_INDEX

But the files doesn't show up in Splunk? Is there a different way to monitor certificate files?

Thanks.

Tags (1)
0 Karma

esix_splunk
Splunk Employee
Splunk Employee

This wont work on UF, but take a look at this app : https://splunkbase.splunk.com/app/3172/#/details

It might be of interest to you. For your monitor statement, its correct, however that cert file is not a standard sourcetype that Splunk will recognize out of the box. Do you have a props defined for these files? You'll need to setup multiline and linebreaking.

0 Karma

prakhersinghal
Explorer

Thanks @esix_splunk for the response. I will try that app.

Regarding the source type, I have not defined anything on the props.conf file but when I query the data in Splunk, I can see my defined source types available under "sourcetype" field.

Actually, my source types are generated by a script based on JVM name and is set on inputs.conf during forwarder setup.
Is this not the right way of doing it?

0 Karma

prakhersinghal
Explorer

or may be I need to define custom fields and define source types based on data.

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...