Hello,
Please help me identify my issue maybe I'm missing something I don't see.
I created simple powershell script to get data from Certificate Authority server (using certutil command) then package as a splunk application.
After I deployed the app in CA server with Splunk installed, then executed the script manually from powershell ISE, I can see I have an output from console. But during scheduled execution, there's no data in my index. No error in internal logs so I can't identify where is the issue. Any feedback will help. thanks.
Also I already tried other workaround in other thread, still didn't work. (like using .path file, powershell stanza etc..)
My .bat file
@ECHO OFF
Powershell.exe -executionpolicy remotesigned -File "%~dpn0.ps1"
inputs.conf
[script://.\bin\scripts\get_ca_issued_certs.bat]
disabled = 0
index = cert_authority_idx
sourcetype = ca_issued_certs
interval = 300
Internal logs:
5:41:24.397 AM | 02-22-2023 05:41:24.397 -0800 INFO ExecProcessor [6372 ExecProcessor] - New scheduled exec process: "C:\Program Files\Splunk\etc\apps\cert_authority_win_uf\bin\scripts\get_ca_issued_certs.bat" |
Output when manually executed.
Date=2023-02-22_06:02:00_-08:00,object=Cert Authority,counter=Issued Certs Expiry,RequestID=4,RequesterName=NT AUTHORI
TY\IUSR,SerialNumber=2a0000000455e56fc1482ef85f000000000004,NotAfter=2/21/2024 7:37 AM,Value=364
Date=2023-02-22_06:02:00_-08:00,object=Cert Authority,counter=Issued Certs Expiry,RequestID=5,RequesterName=NT AUTHORI
TY\IUSR,SerialNumber=2a000000052914506fdbd37f24000000000005,NotAfter=2/21/2024 7:39 AM,Value=364