Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does _internal report the expiration date of the certificate?

danielbb
Motivator
‎08-13-2025 09:38 AM

We are in the process of updating the certificates and we go manually to check each one via the browser whether the certificate truly expires next year, is this information in _internal, by any chance?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
‎08-13-2025 09:33 PM

@danielbb 

No, Splunk _internal does not proactively log certificate expiration details.

As others have mentioned, you can use a scripted input or third-party add-on, which is easy to configure and can help you proactively monitor and manage SSL certificate renewals.

Add-on - #https://splunkbase.splunk.com/app/6475

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-13-2025 11:19 PM

This addon is a bit different. As I understand it from the description, it doesn't check Splunk's own certs, but connects to a given endpoint on the network and checks the cert presented there. It's kinda like check_ssl in Nagios.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-13-2025 01:32 PM

Hi there,

Short answer is no, but you could create a scripted input using this command https://community.splunk.com/t5/Security/Check-HTTPS-certifciates/m-p/145539/highlight/true#M4466 and get this indexed into _internal

 

Hope this helps ...

Cheers, MuS

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-13-2025 02:04 PM

Yup. It is possible by means of scripted input. I did something like that once. Two versions - one in PS to handle windows machines, another to list certs on unices. If your certs are in static places, that should be relatively easy. The problem starts when you want to list all certs Splunk uses in its configs and get info from all of them - it requires more scripting.

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
‎08-13-2025 01:28 PM

@danielbb No, _internal does not proactively report certificate expiration dates. It only logs SSL errors after certificates have already expired, which is too late for proactive monitoring.

  What _internal shows:

  index=_internal sourcetype=splunkd component=TcpInputProc log_level=ERROR "SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired"

  This only appears after the cert has expired.

  For On-Prem: may be create a scripted input to check certificate expiration and monitor?  

  #!/bin/bash

  # Script to check cert expiration

  openssl x509 -enddate -noout -in /path/to/cert.pem



If this Helps, Please Upvote

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...