This Certificates Expiry Add-on for Splunk allows a Splunk® Enterprise
or Splunk Cloud administrator to collect data from hostnames or FQDN. The add-on
collects the certificate but records minimal detail from the certificate.
The Add-on is built with Splunk AOB (Add-on Builder) and minimalist viewpoint.
Aim is collect appropriate field data to raise alerts to appropriate teams or administrators that
a certificate is approaching expiration and requires renewal. Use it to monitor certificates
for splunk forwarders and indexers for eg. indexer01:9996
The fields collected by the add-on are:
OCSP fields are also added in this version. SAN is presented as multivalue list
example event (v0.0.2)
date=01/06/2022 11:42:45 fqdn=splunk.com port=443 expiredays=181 issuer="DigiCert Inc" commonName="DigiCert TLS RSA SHA256 2020 CA1" use_proxy=True notAfter="Nov 29 23:59:59 2022 GMT" notBefore="Nov 29 00:00:00 2021 GMT"
example event (v0.0.3, v0.0.4, v0.0.5)
{"time": "08/07/2023 09:11:38.590998", "OCSP": ["http://ocsp.digicert.com"], "basicConstraints": -1, "caIssuers": ["http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt"], "cipher": "ECDHE-RSA-AES256-GCM-SHA384", "commonName": "DigiCert TLS RSA SHA256 2020 CA1", "crlDistributionPoints": ["http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl", "http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl"], "ex_flags": 263, "expiredays": 144, "extendedKeyUsage": 3, "fqdn": "splunk.com", "issuer": "DigiCert Inc", "notAfter": "Nov 28 23:59:59 2023 GMT", "notBefore": "Nov 21 00:00:00 2022 GMT", "organizationName": "DigiCert Inc", "port": "443", "protocol": "TLSv1.2", "secret_bits": "256", "serialNumber": "06DDC4517820547D85012AB1379067F7", "subjectAltName": ["splunk.com", "alias.splunk.com", "banner.splunk.com", "base.splunk.com", "blogs.splunk.com", "carabiner.splunk.com", "communities.splunk.com", "community.splunk.com", "company.splunk.com", "conf.splunk.com", "de-de.splunk.com", "de.splunk.com", "demo.splunk.com", "dev.splunk.com", "developers.splunk.com", "docs.splunk.com", "documentation.splunk.com", "download.splunk.com", "education.splunk.com", "embargo.splunk.com", "en-us.splunk.com", "en.splunk.com", "es-es.splunk.com", "es.splunk.com", "fr-fr.splunk.com", "fr.splunk.com", "it-it.splunk.com", "it.splunk.com", "ja-jp.splunk.com", "ja.splunk.com", "ko-kr.splunk.com", "ko.splunk.com", "legacyapi.splunk.com", "login.splunk.com", "partners.splunk.com", "piton.splunk.com", "preview.splunk.com", "product.splunk.com", "pt-pt.splunk.com", "pt.splunk.com", "quickdraw.splunk.com", "ru-ru.splunk.com", "ru.splunk.com", "services.splunk.com", "solutions.splunk.com", "splunklive.com", "store.splunk.com", "support.splunk.com", "usergroups.splunk.com", "web.splunk.com", "webmservices.splunk.com", "wiki.splunk.com", "www.splunk.com", "www.splunklive.com", "zh-cn.splunk.com", "zh-hans.splunk.com", "zh-hant.splunk.com", "zh-hk.splunk.com", "zh-mo.splunk.com", "zh-my.splunk.com", "zh-sg.splunk.com", "zh-tw.splunk.com"], "use_proxy": "True", "version": 3}
No components are required on Searchhead or Searchhead Clusters
Install this TA on a HF (Heavy Forwarder) and configure inputs using a proxy or not
Proxy:
The proxy implementation is limited at this time, http transparent proxy only. No authentication to the proxy is performed in this version.
Debug log level:
Can be used if set
Interval:
defaults to 24h or 86400 seconds which is probably enough data for raising alerts. This can have overrides in local folder
[fqdn_for_certificate]
interval = <integer>
Internal Index info:
use the internal index for information on inputs
Internal Index
index=_internal sourcetype="tacertificatesexpiry:log"
Example Search
sourcetype=ssl_cert | stats last(issuer) as Issuer last(commonName) as commonName last(expiredays) as "Days Left" by fqdn | rename fqdn as "Domain / Hostname"
Example Alert search
sourcetype=ssl_cert | stats last(issuer) as Issuer last(commonName) as commonName last(expiredays) as "Days Left" by fqdn | rename fqdn as "Domain / Hostname" | where tonumber('Days Left') < 30
none
12th June 2023: Wallid Nazzal - found inputs bug - with high numbers of inputs setup - file not found bug - changed temp file to use uuid.
22nd June 2023: Kevin Buckley - request for the Cipher, SSL details to be added as more useful data. Moved toward OCSP and json data structures.
18th November 2023: v0.0.4 - splunk appinspect - check_for_addon_builder_version + check_python_sdk_version - outdated version of the Splunk SDK for Python (1.6.16). Upgrade to 1.7.3 or later.
21st November 2023: v0.0.5 - splunk appinspect - update Splunk SDK for Python (1.7.4).
4th September 2024: v0.0.8 - Steffen Griebel - reported hit inputs.conf limitations on forwarder for around 300 inputs - I decided to restructure TA for single instance mode and iterate over inputs. Many users could have thousands of endpoints, this change does this. Added a little more debug info. Code fix ups.
12th September 2024: v1.0.0 - splunk - check_version_is_valid_semver + update Splunk SDK for Python (2.0.2).
1.0.0 - contains single instance mode providing very large numbers of inputs whilst using low compute resources.
- latest Splunk SDK for Python version 2.0.2
- app.conf version property that is formatted as per Semantic Versioning 2.0.0.
As of version 0.0.8 the mode is changed to single instance. This allows large scale inputs, author has tested up to 5,000 inputs, forwarder now uses less resources.
Single instance mode:
From Version 0.0.8 the code in this TA is restructured to use single instance mod input. Using single instance modular input is lighter on resources of forwarders and iterates inputs rather than more processes per input. This also means no intervals on individual inputs in inputs.conf but rather a single interval in inputs.conf which defaults to 1 day (24 Hours). Of course you can override this with local/inputs.conf if you require more or less frequent data.
[fqdn_for_certificate]
interval = <number>
If upgrading TA, interval values will exist in inputs.conf, consider removing interval = <period> as it is no longer used on individual inputs only the stanza above.
new field:
* inputstanza_name - the short name in input.conf after [fqdn_for_certificate://<name>]
This should assist in tracking large scale inputs and issues
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.