Has anyone used Splunk to monitor Microsoft CA's?
Maybe not an application, but has anyone researched which Event ID's mean a certificate is expiring in x days.
I have looked at the MS documentation on the Event ID's, but I wanted to know what kind of success anyone had had.
This is how I am doing it.
index="foo" EventCode="64" Message="is about to expire or already expired"
I think the CA default is 7 days when it starts firing this event.
View solution in original post
The events are part of windows server roles where there is not path showing up for evtx. I would like to know how did you integrate those events to Splunk.