I have a simple windows script that collects CRL expiration dates and runs as a task every 24 hours
echo | set /P = "%date:~4,10% %time:~1,7% " >> c:\crl_expiration.log
echo | set /P = "crl1.crl " >> c:\crl_expiration.log
openssl crl -inform DER -in \\x.x.x.x\crl\crl1.crl -noout -nextupdate >> c:\crl_expiration.log
echo.>>c:\crl_expiration.log
The log output looks like this
05/09/2019 13:00:01 crl1.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:02 crl2.crl nextUpdate=May 15 17:00:00 2019 GMT
05/09/2019 13:00:05 crl3.crl nextUpdate=May 15 17:00:00 2019 GMT
These get indexed by Splunk
I need to compare the given CRL expiration date listed as nextUpdate to today and I need to create an alert if the CRL's are going to expire soon.
| eval dateadded_epoch = strptime('Date Added', "%b %d %H:%M:%S %Y") | where dateadded_epoch >= relative_time(now(), "-1d@d")
I have not been able to get this to work for some reason and if someone has a suggestion on a better way to do this, it would be welcome.
... View more