All Apps and Add-ons

Microsoft SCOM - Powershell v3 Modular Input - with Powershell paramters

deckemha
Explorer

Hello,

I'm trying to connect SCOM with "Splunk Addon for Microsoft SCOM" (Version 4.0.0 - on Splunk Enterprise 7.3 Heavy Forwarder on Windows)

The connection itself is working fine and I'm able to retrieve alerts from SCOM e.g. via group=alert which is the following powershell commands from "scom_command_loader.ps1":

 

    "alert"       = @('Get-SCOMAlert', 'Get-SCOMAlert | Get-SCOMAlertHistory');

 

The input looks like this:

 

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -groups "alert" -server "SCOM_DEV" -loglevel DEBUG -starttime "2021-08-01T00:00:00+02:00"

 

 Now I don't want to have all alerts which will be produced in SCOM, instead I want to narrow it down only to the events with the name "*Windows Defender*".

So for this I've created a new Powershell v3 Modular Input as a copy of the existing one, but using not a group, instead the commands section of the script - see also addon documentation.

Section: "Configure inputs through the PowerShell scripted input UI"

The example there is:

 

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -commands Get-SCOMAlert, Get-SCOMEvent

 

So I tried to use this. The powershell command is working on the shell when I connect directly to this SCOM system.

 

& "$SplunkHome\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1" -commands 'Get-SCOMAlert -Name "*Windows Defender*"' -server "SCOM_DEV" -loglevel DEBUG -starttime "2021-08-01T00:00:00+02:00"

 

The input is working fine and delivering the Windows Defender Events to Splunk.

BUT the problem now is, that it does not create a checkpoint under the path "D:\Splunk\var\lib\splunk\modinputs\scom" like it does when a powershell command without a parameter (-Name "*Windows Defender*") is used.

This can be seen in the DEBUG log files of the addon

 

index=_internal source=*ta_scom.log
2021-08-05 16:37:11 +02:00 [ log_level=WARN pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] End SCOM TA
host = ws006914.schaeffler.comsource = D:\Splunk\var\log\splunk\ta_scom.logsourcetype = ms:scom:log:script
2021-08-05 16:37:11 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Get 13 objects by 'Get-SCOMAlert -Name "*Windows Defender*"'
2021-08-05 16:37:09 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> serialize(Get-SCOMAlert -Name "*Windows Defender*")
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Get object 'Get-SCOMAlert -Name "*Windows Defender*"' without checkpoint
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> executeCmd SCOM_DEV Get-SCOMAlert -Name "*Windows Defender*"
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Command list: Get-SCOMAlert -Name "*Windows Defender*"
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> getCommands (groups=, commands=[Get-SCOMAlert -Name "*Windows Defender*"])
2021-08-05 16:37:05 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] splunk version 7.3.4
2021-08-05 16:37:02 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] New SCOMManagementGroupConnection success
2021-08-05 16:36:55 +02:00 [ log_level=DEBUG pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] --> run (groups=, commands=[Get-SCOMAlert -Name "*Windows Defender*"], loglevel=DEBUG)
2021-08-05 16:36:55 +02:00 [ log_level=WARN pid=2956 input=_Splunk_TA_microsoft_scom_internal_used_Defender_Alerts_test_default_command ] Start SCOM TA

 

You can see it is calling the command correctly, but "without checkpoint".

When using a default input, it looks like this:

 

GET Checkpoint
[ log_level=DEBUG pid=10384 input=_Splunk_TA_microsoft_scom_internal_used_Events_test ] Got checkpoint '07/26/2021 10:54:39.220' from file 'D:\Splunk\var\lib\splunk\modinputs\scom\###U0NPTV9ERVY=###Get-SCOMAlert' successfully.

SET Checkpoint
2021-07-26 14:00:28 +02:00 [ log_level=DEBUG pid=10384 input=_Splunk_TA_microsoft_scom_internal_used_Events_test ] Set checkpoint '07/26/2021 11:54:14.790' to file 'D:\Splunk\var\lib\splunk\modinputs\scom\###U0NPTV9ERVY=###Get-SCOMAlert' successfully.

 

So the problem will be duplicate data when I would run this regulary.

Does anybody has an idea how to fix this?

I have the feeling tried everything possible (different formations with _"_ or _'_ at different positions). Also without wildcards in the Name field its not working.

I guess it somehow cannot create the checkpoint file.

I also tried manipulating the  "scom_command_loader.ps1" script with a new group, which contains my query, but it can also not create the checkpoint file.

Thanks in advance

Michael

Labels (2)
0 Karma

deckemha
Explorer

Does anybody has an idea on this?

Thanks a lot!

Many Regards

Michael

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...