I have a Windows 2012 R2 server setup with a universal forwarder and I've dropped this TA into the apps folder. I'm looking for guidance on how to get this add-on to run and deliver the data to the Splunk cluster. I've already setup the receiver port on the Splunk cluster and it is receiving generic Windows event log data from this same forwarder.
I had to make a couple of changes to the .\TS-windnsanalytical\bin\get_dns_analytics.path file to get everything to work:
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"
Yes, it should be possible to deploy Windows DNS Analytical and Diagnostic Logs on universal forwarders.
Without more information, its hard to know why it isn't working.
According to the README, you need to enable the inputs. Looking at default/inputs.conf
, there is one scripted input. Did you create a local/inputs.conf
? If not, can you please create with the content below and restart Splunk?
[script://.\bin\get_dns_analytics.path]
disabled = 0
If you manually run the script $SPLUNK_HOME/etc/apps/TA-windnsanalytical/bin/get_dns_analytics.path does it work?
Looking at that script, I have two concerns:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
It seems likely to me that you will need to update that path; you might try just Powershell (that's what some apps we've downloaded use)$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1
; is $SPLUNK_HOME defined and does that match your app name?I had to make a couple of changes to the .\TA-windnsanalytical\bin\get_dns_analytics.path file to get everything working.
Original get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& '$SPLUNK_HOME\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"
Working get_dns_analytics.path file:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-windnsanalytical\bin\get_dns_analytics.ps1'"
I created a local/inputs.conf file with the content you provided and restarted Splunk. I am able to run the Powershell file and it returns the expect results the console window. What I'm unclear on is do I need to setup a Script forwarder on the Splunk server to receive the data from this? When I go to add one it sees the forwarder but when I select scripts it doesn't show this script.
Based on the splunkd.log file it is failing on the powershell string.
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" & : The term 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" get_dns_analytics.ps1' is not recognized as the name of a cmdlet, function,
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" script file, or operable program. Check the spelling of the name, or if a path
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" was included, verify that the path is correct and try again.
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" At line:1 char:3
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + &
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_anal
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" ...
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" ~~~
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + CategoryInfo : ObjectNotFound: (D:\SplunkUniver...s_analytics.p
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" s1:String) [], CommandNotFoundException
01-07-2016 11:43:45.634 -0800 ERROR ExecProcessor - message from "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command "& 'D:\SplunkUniversalForwarder\etc\apps\TA-WindowsDNSAnalytical\bin\get_dns_analytics.ps1'"" + FullyQualifiedErrorId : CommandNotFoundException
Is there a way I can execute the Splunk .path file manually to see where it is failing?