topic Re: TA-Sysmon-deploy: Issue with deploy.bat in Getting Data In

TA-Sysmon-deploy: Issue with deploy.bat

kwasielewski — Thu, 10 Sep 2020 16:28:23 GMT

I am attempting to use the "TA-Sysmon-deploy" Splunkbase app to deploy and maintain Sysmon on our endpoints. I've noticed that the script which checks for sysmon then installs it does run correctly. It always results in a "sysmon not found" situation and re-installs it. This is expected activity if the script does not see sysmon running or it detects is out of date. Nonetheless, the script completes each time by installing sysmon again and again, even thought the host has the proper version of sysmon installed and running.

The peculiar thing here is that it works correctly if I run the batch script manually from an Admin (as system) command prompt but not when run by the Splunk Universal Forwarder. I've added an Echo statement so I can the check script variables just before they go into the deployment IF statements. Theyare correct when manually run but are not when executed by Splunk.

Any comments or suggestions would be helpful. I have included sample logs and the script below.

Thank you,

Ken

sysmon.log when Splunk runs the batch file via input setting.

Thu 09/10/2020- 9:19:40.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Thu 09/10/2020- 9:19:40.03 Checking for Sysmon
CHECK_SYSMON_VERSION=""
CHECK_SYSMON_RUNNIG=""
Thu 09/10/2020- 9:19:40.03 Sysmon not found, proceding to install
Thu 09/10/2020- 9:19:40.03 Copying the latest config file
0% copied
100% copied 1 file(s) copied.
Thu 09/10/2020- 9:19:40.03 Installing Sysmon
Thu 09/10/2020- 9:19:40.03 Install complete!

sysmon.log when run from and Admin command prompt (as "system")

Wed 09/09/2020- 9:08:59.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Wed 09/09/2020- 9:08:59.03 Checking for Sysmon
CHECK_SYSMON_RUNNIG="1"
CHECK_SYSMON_VERSION="1"
Wed 09/09/2020- 9:08:59.03 Sysmon found, checking version
Wed 09/09/2020- 9:08:59.03 Sysmon already up to date, exiting

Here is the script from the deploy.bat file. This batch file is part of "TA-Sysmon-deploy" from Splunkbase. I have added the following to the script while troubleshooting.

- SETLOCAL and ENDLOCAL: removes any outside the script variable influences
- Enclosed the version check FOR statement in an IF EXIST clause, the script seemed to error out if sysmon.exe did not exist)
- added variable output "echo" statements so I can see the variable in the logs just before the IF statements.

TA's deploy.bat file

ECHO OFF SETLOCAL FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i SET SPLUNKPATH=%SPLUNKDPATH:~1,-28% >> %WINDIR%\sysmon.log ( ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH% ECHO %DATE%-%TIME% Checking for Sysmon FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO ( SET CHECK_SYSMON_RUNNIG=%%c ) IF EXIST %WINDIR%\sysmon.exe ( FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO ( SET CHECK_SYSMON_VERSION=%%b ) ) ECHO CHECK_SYSMON_VERSION="%CHECK_SYSMON_VERSION%" ECHO CHECK_SYSMON_RUNNIG="%CHECK_SYSMON_RUNNIG%" if "%CHECK_SYSMON_RUNNIG%" == "1" ( ECHO %DATE%-%TIME% Sysmon found, checking version IF "%CHECK_SYSMON_VERSION%" == "1" ( ECHO %DATE%-%TIME% Sysmon already up to date, exiting ENDLOCAL EXIT ) ELSE ( ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing IF EXIST %WINDIR%\sysmon.exe ( %WINDIR%\sysmon.exe -u ) ) ) ELSE ( ECHO %DATE%-%TIME% Sysmon not found, proceding to install ECHO %DATE%-%TIME% Copying the latest config file COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\" ECHO %DATE%-%TIME% Installing Sysmon "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL ECHO %DATE%-%TIME% Install complete! ENDLOCAL EXIT ) ECHO %DATE%-%TIME% Install failed ) ENDLOCAL

Re: TA-Sysmon-deploy: Issue with deploy.bat

vmicovic2 — Mon, 09 Nov 2020 23:32:12 GMT

hi, you must add sysmon installation in splunk app locally (from where splunk push installation to clients).

Re: TA-Sysmon-deploy: Issue with deploy.bat

kwasielewski — Tue, 10 Nov 2020 19:32:15 GMT

Hi,

Thank you for the reply.

The installation files are contained in the "TA-Sysmon-deploy" app in the Splunk UF directory. Is that correct or did I misunderstanding your comment?

"%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe"

Ken

Re: TA-Sysmon-deploy: Issue with deploy.bat

vmicovic2 — Wed, 11 Nov 2020 00:35:27 GMT

that is correct. Both, config and installation must be there..

about script and your environment, you can test it first on your windows station, when you confirm that work in both case (deploy and update), you can test it from splunk..

ofc. take care of path when you test it on system

Re: TA-Sysmon-deploy: Issue with deploy.bat

ali-tavakoli — Wed, 06 Jan 2021 13:05:06 GMT

you should use SETLOCAL ENABLEDELAYEDEXPANSION instead of SETLOCAL and change your code to this:

ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION

FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i
SET SPLUNKPATH=%SPLUNKDPATH:~1,-28%

>> %WINDIR%\sysmon.log (
ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH%
ECHO %DATE%-%TIME% Checking for Sysmon

FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO (
SET CHECK_SYSMON_RUNNIG=%%c
)

IF EXIST %WINDIR%\sysmon.exe (
FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO (
SET CHECK_SYSMON_VERSION=%%b
)
)

ECHO CHECK_SYSMON_VERSION=!CHECK_SYSMON_VERSION!
ECHO CHECK_SYSMON_RUNNIG=!CHECK_SYSMON_RUNNIG!

if "!CHECK_SYSMON_RUNNIG!" == "1" (
ECHO %DATE%-%TIME% Sysmon found, checking version
IF "!CHECK_SYSMON_VERSION!" == "1" (
ECHO %DATE%-%TIME% Sysmon already up to date, exiting
ENDLOCAL
EXIT
) ELSE (
ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing
IF EXIST %WINDIR%\sysmon.exe (
%WINDIR%\sysmon.exe -u
)
)
) ELSE (
ECHO %DATE%-%TIME% Sysmon not found, proceding to install
ECHO %DATE%-%TIME% Copying the latest config file
COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\"
ECHO %DATE%-%TIME% Installing Sysmon
"%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL
ECHO %DATE%-%TIME% Install complete!
ENDLOCAL
EXIT
)
ECHO %DATE%-%TIME% Install failed
)
ENDLOCAL