Splunk search for Universal Forwarders with Expired Certificates

index=_internal sourcetype=splunkd (alert_description="'certificate expired'" component=SSLCommon) OR (component=TcpInputProc AND "certificate verify failed")
This search is helpful for determining when you have Universal Forwaders that are attempting to use an expired certificate. The events in the TcpInputProc component will include a source IP address that can help to pinpoint the host(s) with problems.
Sign in or Register to submit a comment