Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Powershell scripted input

Leo
Splunk Employee
Splunk Employee
‎02-03-2010 02:19 AM

I have a Powershell script that runs continuously and prints some data to the console. I'd like to configure Splunk to index this data.

I went to Manager » Data inputs » Script » Add New and entered this line in 'Command'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "-command "& 'c:\myscript.ps1'""

but in splunkd.log I get this message:

02-02-2010 17:51:35.195 ERROR FrameworkUtils - Incorrect path to script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.  Script must be in a bin subdirectory in $SPLUNK_HOME.
02-02-2010 17:51:35.195 ERROR ExecProcessor - Ignoring: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "-command "& 'c:\myscript.ps1'""

Why am I not allowed to call powershell?

P.S. I found a workaround for this by having a .bat file inside SPLUNK_HOME\bin\scripts. It contains the command line from above. Then I've created a scripted input pointing to this .bat file.
But it looks much less than optimal having cmd.exe to host powershell.exe and I hope someone has a better solution.

Reply
1 Solution
Solved! Jump to solution
Solution

Leo
Splunk Employee
Splunk Employee
‎02-10-2010 09:24 PM

I've got one more solution that I'm going to use:

Instead of using bat files you can create a .path file:
/apps/myapp/bin/myscript.path that will contain the following:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -command "& {set-executionpolicy Remotesigned; '$SPLUNK_HOME\etc\apps\myapp\bin\myscript.ps1' -myarg1 -myarg2}"

And in inputs.conf write:

[script://$SPLUNK_HOME\etc\apps\myapp\bin\myscript.path]

It worked like a charm.

Update: Recommend using a relative path instead:

[script://.\bin\myscript.path]

View solution in original post

Reply
Solved! Jump to solution
Solution

Leo
Splunk Employee
Splunk Employee
‎02-10-2010 09:24 PM

I've got one more solution that I'm going to use:

Instead of using bat files you can create a .path file:
/apps/myapp/bin/myscript.path that will contain the following:

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe -command "& {set-executionpolicy Remotesigned; '$SPLUNK_HOME\etc\apps\myapp\bin\myscript.ps1' -myarg1 -myarg2}"

And in inputs.conf write:

[script://$SPLUNK_HOME\etc\apps\myapp\bin\myscript.path]

It worked like a charm.

Update: Recommend using a relative path instead:

[script://.\bin\myscript.path]
Reply
Solved! Jump to solution

edoardo_vicendo
Contributor
‎07-05-2021 10:00 AM

Thank you, I have been able to run my PowerShell script with the .path wrapper, the only difference was that instead of -command I used the -file option:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -file "C:\Program Files\SplunkUniversalForwarder\etc\apps\myapp\bin\MyScript.ps1"

This is also reported in the following splunk answer:

https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-my-PowerShell-scripted-input...

 

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-21-2010 09:21 PM

Oh, and note that using a relative path doesn't have the security hole, as Splunk will only accept a path from the app's own "bin" directory and below, i.e., it won't use a path containing a ".." component to go up and run something else.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-21-2010 09:17 PM

It would be better to configured the script stanza to read as:

[script://.\bin\myscript.path]

as this will make it independent of the name of your app folder.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-10-2010 09:24 PM

Splunk does not allow execution of programs outside of designated locations for security reasons. If it was allowed, any user who could create inputs could execute any code as the Splunk account. To control this, any code that a user can run must be explicitly placed in designated locations by someone who is authorized to do so.

Allowing a special case for cmd.exe or powershell.exe would have the same security hole.

Your workaround is perfectly valid, and is the intended one.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎02-03-2010 06:30 PM

Anotherway to avoid "wrapping" via BAT is to ensure that the scripts located in the bin directories are automatically associated with the appropriate script engine by the OS (or by Splunk). In Unix, the convention of using #!/path/to/shell does this. In Windows, .bat files are associated with the cmd.exe, and you can create new associations via FTYPE and ASSOC.

In this case, you do not need to wrap your scripts inside of another script, and at the same time, users are limited to only running code that has been explicitly placed in the specified locations (and presumably vetted).

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎02-03-2010 06:26 PM

The requirement that people be able to modify files in the appropriate script directories is not a strong security guarantee, but it's more than nothing. If anything we just need better commentary around the feature.

Reply
Solved! Jump to solution

Leo
Splunk Employee
Splunk Employee
‎02-03-2010 07:08 AM

thanks, V, your suggestion inspired me for another workaround below 😉

0 Karma
Reply
Solved! Jump to solution

V_at_Splunk
Splunk Employee
Splunk Employee
‎02-03-2010 05:16 AM

Have you tried having your powershell.exe scripted input be in a bin subdirectory in $SPLUNK_HOME?

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...