Monitoring certificates on Windows and Linux with Splunk
Trying to monitor expiring certificates on production instances, couldn’t find a lot of info so I wrote scripts that might be useful.
Latest versions on https://github.com/goncalopereira/CheckCertificates
Linux
Linux
#!/bin/bash
set -e
LOG_FILE=/var/log/ExpiringCertificates-Monitoring.log
TMP_FILE=/tmp/tmpcert.txt
sudo touch $LOG_FILE
sudo truncate -s 0 $LOG_FILE
for i in $(sudo find /etc/pki/tls/private -type f -name "*.pem"); do
if [[ $i == *.pem ]]
then
echo "Processing $i"
sudo openssl x509 -enddate -startdate -issuer -subject -noout -in $i > $TMP_FILE
notAfter=$(grep notAfter $TMP_FILE | cut -d '=' -f2-)
validTo=$(date -d "$notAfter" +%d/%m/%Y)
notBefore=$(grep notBefore $TMP_FILE | cut -d '=' -f2-)
validFrom=$(date -d "$notBefore" +%d/%m/%Y)
issuer=$(grep issuer $TMP_FILE | sed -e s/.*CN=//)
subject=$(grep subject $TMP_FILE | sed -e s/.*CN=//)
hostname=$(hostname)
echo "$hostname|$i|$validTo|$validFrom|$issuer|$subject" | sudo tee --append $LOG_FILE
fi
done;
Windows
$Path = "D:\ExpiringCertificates-Monitoring.log"
$certs = Get-ChildItem CERT:LocalMachine -Recurse |
Where-Object { $null -ne $_.NotAfter } |
Where-Object { $null -ne $_.DnsNameList }
$list = $certs | Sort-Object NotAfter |
Select-Object @{Name = "ComputerName"; Expression = { $_.PSComputerName } },
@{Name = "FileName"; Expression = { "" } },
@{Name = "ValidTo"; Expression = { $_.NotAfter.ToShortDateString() } },
@{Name = "ValidFrom"; Expression = { $_.NotBefore.ToShortDateString() } },
Issuer,
@{Name = "DnsName"; Expression = { $_.DnsNameList.Unicode } }
$list | Export-Csv -Delimiter '|' -NoTypeInformation -Path "$Path+header"
(Get-Content "$Path+header" | Select-Object -Skip 1) | Set-Content $Path
Splunk
props.conf
[ExpiringCertificates-Monitoring]
FIELD_DELIMITER=|
FIELD_NAMES=ComputerName,FileName,ValidTo,ValidFrom,Issuer,DnsName
inputs.conf
[monitor:///var/log/ExpiringCertificates-Monitoring.log]
sourcetype = ExpiringCertificates-Monitoring
Good luck!