I need to validate all my forwarders to check which SLL version(TLS1.2, TLS1.1, ETC) they are using to send data. We recently deployed changes to all the agents to use TLS1.2, but we need to validate it.
Is there a way to check in Splunk with a query? Currently, I am working on the queries below but not all the clients giving SSL version with this approach. Can anyone help me with this?
Splunk_SSLversion Lookup
index=_internal source=*splunkd.log sourcetype=splunkd message="*Server supporting SSL versions*"
| dedup host
| eval Time=strftime(_time, "%D %H:%M:%S")
| eval Host=upper(host)
| stats latest(Time) as Time latest(message) as SSL_Status by Host
| table Time Host SSL_Status | outputlookup append=true Splunk_SSLversions.csv
Second query:
index=_internal source=*metrics.log group=tcpin_connections
| eval hostname=upper(hostname)
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| search connectionType="univ fwder"
| rename arch as MachineType | lookup local=true Splunk_SSLversion_Details.csv Host AS sourceHost OUTPUTNEW SSL_Status as SSL_Version
| table connectionType sourceIp sourceHost SSL_Version MachineType
| dedup sourceIp
... View more