Security

How can I use Splunk (or Splunk ES) to track the expiry date of all the certificates we use?

aseid
New Member

Hello
I need to design a report in Splunk that tracks expiry dates of all the SSL certificates used by different applications on different servers. [This is not about the certificate used by Splunk itself]. As far as I know, SSL certificate info is not streamed to Splunk. Rather, they are kept in files grouped into designated folders on each servers. Is there anyway to make Splunk access these data and generate the requested report. The report part is the easier part here. The challenge is to make the certificate information available to Splunk. Does the 'Certificate Datamodel' help here?

Thanks.

Tags (2)
0 Karma
1 Solution

Rob
Splunk Employee
Splunk Employee

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

View solution in original post

aseid
New Member

Thanks Bob for the detailed response.

0 Karma

season88481
Contributor

I think he is Rob. 🙂

0 Karma

Rob
Splunk Employee
Splunk Employee

The best way to do this would probably be to use a scripted input or to have a script generate the data. The reason is that we need to use a third party utility, such as openSSL to get that info or alternatively we need to be able to read the information from the SSL key exchange process.

Here is the basic script that you can start with:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout –dates

where the site:port portion is for the certificate you would like to check.

To put more SSL info in to a file with a timestamp for time series indexing you could try something like this:

echo | openssl s_client -connect site:port 2>/dev/null | openssl x509 -noout -dates -subject -issuer |xargs | while IFS= read -r line; do printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done >> mySSLExp.log

If you prefer to gather the SSL key metadata from the key exchange, you could look in to using the Splunk Stream app to extract that information as well which may be easier if the data can be readily seen on the wire.

Edit - The ES app can show some of the SSL key information from data that it has gathered from the Stream app. You can either take a look at the Stream data or look at the dashboards for SSL activity to see if that answers the question.

season88481
Contributor

This will save some lifes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...