<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Powershell Input: discrepancies in pipeline execution? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329541#M61111</link>
    <description>&lt;P&gt;I never did.  I ended up filtering these events out via props/transforms on a heavy forwarder.   I haven't revisited since we've updated our forwarders over the past year or two.   Are you experiencing this as well?  What version of the forwarder?&lt;/P&gt;</description>
    <pubDate>Wed, 03 Jun 2020 18:30:34 GMT</pubDate>
    <dc:creator>c_boggs</dc:creator>
    <dc:date>2020-06-03T18:30:34Z</dc:date>
    <item>
      <title>Powershell Input: discrepancies in pipeline execution?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329539#M61109</link>
      <description>&lt;P&gt;I have a simple powershell input:&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[powershell://Windows:Applications]&lt;BR /&gt;
script = Get-WmiObject -Class Win32_Product | Select-Object -Property Name,InstallDate,Version,InstallLocation,Description&lt;BR /&gt;
interval=86400&lt;BR /&gt;
disabled=0&lt;BR /&gt;
index=winclientlogs&lt;BR /&gt;
sourcetype=installed_apps&lt;BR /&gt;
&lt;/CODE&gt;&lt;BR /&gt;
We deploy this input inside the Splunk_TA_Windows app to our Windows workstations - roughly 1800+ of them, a mix of Windows 7 and Windows 10.   This input works flawlessly to report installed applications across all the workstations (after setting  reasonable powershell execution policy via GPO, of course).&lt;/P&gt;

&lt;P&gt;However, roughly 8 Windows 10 hosts (which are a mix of 15063 and 16299), all running the 7.0 forwarder, seem to be executing this powershell input &lt;EM&gt;differently&lt;/EM&gt;.   &lt;/P&gt;

&lt;P&gt;We log Powershell event logs from &lt;CODE&gt;WinEventLog:Microsoft-Windows-PowerShell/Operational&lt;/CODE&gt;, and had not yet filtered out Splunk Powershell events - I was doing some basic review of these event logs when I noticed a higher sustained volume EventCode 4103 from a handful of hosts, which led to the discovery that the forwarder on these 8 hosts appears to be running powershell pipeline executions *&lt;EM&gt;roughly 900 times a minute. *&lt;/EM&gt;&lt;/P&gt;

&lt;P&gt;The events differ from the "normal/expected" operation because in the Powershell event logs, they invoke the "Out-Null" method, followed by a "Sleep-Start" method (for 200ms).   On every other host not exhibiting this behavior, the forwarder executes with the "Add-Type" method.&lt;/P&gt;

&lt;P&gt;Regardless of this difference, the problematic hosts still execute the powershell - they just create a TON more noise doing it...  I'm curious if this is a bug in the forwarder, or some possible difference in the powershell environment for these hosts.&lt;/P&gt;

&lt;P&gt;Things I've done to troubleshoot:&lt;BR /&gt;
- Reinstalled forwarders (no change)&lt;BR /&gt;
- Upgraded forwarders to 7.0.3 (no change)&lt;BR /&gt;
- tried using &lt;CODE&gt;schedule&lt;/CODE&gt; instead of &lt;CODE&gt;interval&lt;/CODE&gt; directive in the input (no change)&lt;/P&gt;

&lt;P&gt;For example - problematic host has 4103 for splunk-powershell.exe that starts with:&lt;BR /&gt;
&lt;CODE&gt;CommandInvocation(Out-Null): "Out-Null"&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;These are followed by a nearly identical 4103, except with:&lt;BR /&gt;
&lt;CODE&gt;CommandInvocation(Start-Sleep): "Start-Sleep" &lt;BR /&gt;
ParameterBinding(Start-Sleep): name="Milliseconds"; value="200"&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Where a host not exhibiting the 900 events a minute starts like this:&lt;BR /&gt;
&lt;CODE&gt;CommandInvocation(Add-Type): "Add-Type"&lt;BR /&gt;
ParameterBinding(Add-Type): name="MemberDefinition"; value="[DllImport("kernel32.dll")]&lt;BR /&gt;
public static extern bool SetEvent(IntPtr handle);"&lt;BR /&gt;
ParameterBinding(Add-Type): name="Name"; value="Win32Utils"&lt;BR /&gt;
ParameterBinding(Add-Type): name="Namespace"; value="SetEvent"&lt;BR /&gt;
ParameterBinding(Add-Type): name="PassThru"; value="True"&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;Hoping someone has some ideas as I'd like to address this instead of just drop the noise at our heavy forwarder..&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 18:59:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329539#M61109</guid>
      <dc:creator>c_boggs</dc:creator>
      <dc:date>2020-09-29T18:59:43Z</dc:date>
    </item>
    <item>
      <title>Re: Powershell Input: discrepancies in pipeline execution?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329540#M61110</link>
      <description>&lt;P&gt;Did you solve this issue?&lt;/P&gt;</description>
      <pubDate>Wed, 03 Jun 2020 05:02:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329540#M61110</guid>
      <dc:creator>mik3y</dc:creator>
      <dc:date>2020-06-03T05:02:10Z</dc:date>
    </item>
    <item>
      <title>Re: Powershell Input: discrepancies in pipeline execution?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329541#M61111</link>
      <description>&lt;P&gt;I never did.  I ended up filtering these events out via props/transforms on a heavy forwarder.   I haven't revisited since we've updated our forwarders over the past year or two.   Are you experiencing this as well?  What version of the forwarder?&lt;/P&gt;</description>
      <pubDate>Wed, 03 Jun 2020 18:30:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329541#M61111</guid>
      <dc:creator>c_boggs</dc:creator>
      <dc:date>2020-06-03T18:30:34Z</dc:date>
    </item>
    <item>
      <title>Re: Powershell Input: discrepancies in pipeline execution?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329542#M61112</link>
      <description>&lt;P&gt;Thanks for the reply c.boggs.&lt;/P&gt;

&lt;P&gt;I have just updated to 8.0.3. Admittedly I haven't used script stanza's before so unsure what to expect or if it affected our 7.3.1.1 fleet.&lt;/P&gt;

&lt;P&gt;All the scripts run flawlessly through a PowerShell CLI, but not all function when executed by Splunk.&lt;BR /&gt;
Sysmon doesnt seem to generate many Process Creation events so at least that is one consolation.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;    Pipeline execution details for command line:             start-sleep -m 200
    . 

    Context Information: 
        DetailSequence=1
        DetailTotal=1

        SequenceNumber=570469

        UserId=DOMAIN\SYSTEM
        HostName=ConsoleHost
        HostVersion=5.1.14409.1018
        HostId=9db3f578-72c9-4efe-8ec5-2987f958b4a0
        HostApplication=powershell.exe -command &amp;amp; {get-content C:\WINDOWS\TEMP\\input78ad6966241a2009.tmp | C:\Program` Files\SplunkUniversalForwarder\bin\splunk-powershell.ps1  C:\Program` Files\SplunkUniversalForwarder  78ad6966241a2009}
        EngineVersion=5.1.14409.1018
        RunspaceId=91737811-5a9e-430a-9462-cdb540f6e006
        PipelineId=1
        ScriptName=
        CommandLine=            start-sleep -m 200


    Details: 
    CommandInvocation(Start-Sleep): "Start-Sleep"
    ParameterBinding(Start-Sleep): name="Milliseconds"; value="200"
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 03 Jun 2020 23:33:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Powershell-Input-discrepancies-in-pipeline-execution/m-p/329542#M61112</guid>
      <dc:creator>mik3y</dc:creator>
      <dc:date>2020-06-03T23:33:05Z</dc:date>
    </item>
  </channel>
</rss>

