Alerting

Can I use Powershell as the script triggered by Custom Alert Actions?

rune_hellem
Contributor

I'm about to migrate all our scripted actions to custom alert actions. Each alert triggers a .bat file, which is only used to trigger a Powershell-script doing the real magic. The bat file is used since Splunk cannot trigger the .ps1 file, CMD will have to use

Powershell -f filename.ps1

The same issue will be for a custom alert action, Splunk cannot trigger that either, so therefore I
When using scripted alert actions I defined a bat file which the alert triggered. The .bat-file was really just a "proxy" since I was not able to trigger the Powershell script directly from Splunk.

So I have tried the same using a custom alert action

[nimsoft_100_filenet_error]
is_custom = 1
label = Nimsoft #100, test alert
icon_path = action.png
payload_format = xml
disabled = 0
#alert.execute.cmd = alertNimsoft-doSplunkAlert.ps1
alert.execute.cmd = testArguments.bat

But I must admit that I have not fully understood if I can still use this approach. All examples found here http://docs.splunk.com/Documentation/Splunk/6.6.0/AdvancedDev/ModAlertsIntro shows only Python examples, and I have a hard time understanding how to read the payload (stdin) in a bat/cmd-file and the be able to forward it to my Powershell-script. Is this doable or do I have to install Python on the server when using scripts in Custom Alert Actions?

Tags (1)
0 Karma
1 Solution

rune_hellem
Contributor

This was how I finally was able to launch the Powershell-script. All was in the documentation, but only after I got it figured out I did understand the documentation ... (as so many times before)

In the file alert_actions.conf the alert has been defined like this

alert.execute.cmd = powershell.path
alert.execute.cmd.arg.0 = -NoProfile
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1
alert.execute.cmd.arg.3 = --execute

And then in the \bin-folder of the Splunk-app I have created I have added a file named powershell.path containing one single line

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Next step now will be to understand how I can use Powershell to read the payload, same as Pyhton does with the code

settings = json.loads(sys.stdin.read())

View solution in original post

0 Karma

jdajpowell
New Member

Did you ever figure out how to pass arguments to powershell? The only thing I'm getting when looping through the args array is "--Execute."

0 Karma

rune_hellem
Contributor

As I remember it I got an answer from support saying that it actually is not possible using Powershell. If I'm not totally wrong it is a bug in how Splunk implements Powershell. Therefore I switched to Python, as a starter because of this, but also to make the move to running Splunk on Linux easier. As a result of the work my company does related to GDPR we will index a lot more data/logs, and I really expect this to force us to cluster Splunk due to performance. So anyhow it was not a big deal moving to Python.

0 Karma

rune_hellem
Contributor

This was how I finally was able to launch the Powershell-script. All was in the documentation, but only after I got it figured out I did understand the documentation ... (as so many times before)

In the file alert_actions.conf the alert has been defined like this

alert.execute.cmd = powershell.path
alert.execute.cmd.arg.0 = -NoProfile
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = $SPLUNK_HOME\etc\apps\klp_nimsoft_custom_alerts\bin\testArguments.ps1
alert.execute.cmd.arg.3 = --execute

And then in the \bin-folder of the Splunk-app I have created I have added a file named powershell.path containing one single line

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Next step now will be to understand how I can use Powershell to read the payload, same as Pyhton does with the code

settings = json.loads(sys.stdin.read())
0 Karma

jdajpowell
New Member

Adding this in the comments vs. answers.

Were you able to figure out how to pass arguments? When looping through the args array I'm only seeing "--execute."

Thanks.

0 Karma

gclaytontmwa
New Member

$args doesn't work for PowerShell for some reason. There is a variable called $input which has the XML or JSON result information.

0 Karma

jkat54
SplunkTrust
SplunkTrust

It is a bit vague but this is what I'm interpreting from the documentation:

https://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Alertactionsconf

alert.execute.cmd = <string>
* For custom alert actions: Explicitly specify the command to be executed
  when the alert action is triggered. This refers to a binary or script
  in the bin folder of the app the alert action is defined in, or to a
  path pointer file, also located in the bin folder.

This is telling me alert.execute.cmd should point to the powershell executable

alert.execute.cmd = powershell.exe
alert.execute.cmd.arg.1 = -f
alert.execute.cmd.arg.2 = filename.ps1

If you want to use python, you would not need to install python as python is packaged with splunk.

To use the arguments send to the powershell you'll use something like this in the script:

$arg1=$args[0]
$arg2=$args[1]

I feel like the args should be the same as you see here: http://docs.splunk.com/Documentation/Splunk/6.1.3/Alert/Configuringscriptedalerts

Personally I'd use python for this even if I didnt know python. Learning python gives you super Splunk powers 😉

rune_hellem
Contributor

Ahh, yes - off course, I will try that out.

And yes, I see the point with Python, but I prefer to use out of the box if possible. But the good news is that my boss has said ok to use Linux when we later move to a clustered Splunk-environment....so that should make things easier....sometimes in the future

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...