Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does _internal report the expiration date of the certificate?

danielbb
Motivator
4 weeks ago

We are in the process of updating the certificates and we go manually to check each one via the browser whether the certificate truly expires next year, is this information in _internal, by any chance?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
4 weeks ago

@danielbb 

No, Splunk _internal does not proactively log certificate expiration details.

As others have mentioned, you can use a scripted input or third-party add-on, which is easy to configure and can help you proactively monitor and manage SSL certificate renewals.

Add-on - #https://splunkbase.splunk.com/app/6475

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

This addon is a bit different. As I understand it from the description, it doesn't check Splunk's own certs, but connects to a given endpoint on the network and checks the cert presented there. It's kinda like check_ssl in Nagios.

0 Karma
Reply

MuS
Legend
4 weeks ago

Hi there,

Short answer is no, but you could create a scripted input using this command https://community.splunk.com/t5/Security/Check-HTTPS-certifciates/m-p/145539/highlight/true#M4466 and get this indexed into _internal

 

Hope this helps ...

Cheers, MuS

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

Yup. It is possible by means of scripted input. I did something like that once. Two versions - one in PS to handle windows machines, another to list certs on unices. If your certs are in static places, that should be relatively easy. The problem starts when you want to list all certs Splunk uses in its configs and get info from all of them - it requires more scripting.

0 Karma
Reply

sainag_splunk
Splunk Employee
Splunk Employee
4 weeks ago

@danielbb No, _internal does not proactively report certificate expiration dates. It only logs SSL errors after certificates have already expired, which is too late for proactive monitoring.

  What _internal shows:

  index=_internal sourcetype=splunkd component=TcpInputProc log_level=ERROR "SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired"

  This only appears after the cert has expired.

  For On-Prem: may be create a scripted input to check certificate expiration and monitor?  

  #!/bin/bash

  # Script to check cert expiration

  openssl x509 -enddate -noout -in /path/to/cert.pem



If this Helps, Please Upvote

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...