I am attempting to use the "TA-Sysmon-deploy" Splunkbase app to deploy and maintain Sysmon on our endpoints. I've noticed that the script which checks for sysmon then installs it does run correctly. It always results in a "sysmon not found" situation and re-installs it. This is expected activity if the script does not see sysmon running or it detects is out of date. Nonetheless, the script completes each time by installing sysmon again and again, even thought the host has the proper version of sysmon installed and running.
The peculiar thing here is that it works correctly if I run the batch script manually from an Admin (as system) command prompt but not when run by the Splunk Universal Forwarder. I've added an Echo statement so I can the check script variables just before they go into the deployment IF statements. Theyare correct when manually run but are not when executed by Splunk.
Any comments or suggestions would be helpful. I have included sample logs and the script below.
sysmon.log when Splunk runs the batch file via input setting.
Thu 09/10/2020- 9:19:40.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Thu 09/10/2020- 9:19:40.03 Checking for Sysmon
Thu 09/10/2020- 9:19:40.03 Sysmon not found, proceding to install
Thu 09/10/2020- 9:19:40.03 Copying the latest config file
100% copied 1 file(s) copied.
Thu 09/10/2020- 9:19:40.03 Installing Sysmon
Thu 09/10/2020- 9:19:40.03 Install complete!
sysmon.log when run from and Admin command prompt (as "system")
Wed 09/09/2020- 9:08:59.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Wed 09/09/2020- 9:08:59.03 Checking for Sysmon
Wed 09/09/2020- 9:08:59.03 Sysmon found, checking version
Wed 09/09/2020- 9:08:59.03 Sysmon already up to date, exiting
Here is the script from the deploy.bat file. This batch file is part of "TA-Sysmon-deploy" from Splunkbase. I have added the following to the script while troubleshooting.
- SETLOCAL and ENDLOCAL: removes any outside the script variable influences
- Enclosed the version check FOR statement in an IF EXIST clause, the script seemed to error out if sysmon.exe did not exist)
- added variable output "echo" statements so I can see the variable in the logs just before the IF statements.
TA's deploy.bat file
ECHO OFF SETLOCAL FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i SET SPLUNKPATH=%SPLUNKDPATH:~1,-28% >> %WINDIR%\sysmon.log ( ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH% ECHO %DATE%-%TIME% Checking for Sysmon FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO ( SET CHECK_SYSMON_RUNNIG=%%c ) IF EXIST %WINDIR%\sysmon.exe ( FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO ( SET CHECK_SYSMON_VERSION=%%b ) ) ECHO CHECK_SYSMON_VERSION="%CHECK_SYSMON_VERSION%" ECHO CHECK_SYSMON_RUNNIG="%CHECK_SYSMON_RUNNIG%" if "%CHECK_SYSMON_RUNNIG%" == "1" ( ECHO %DATE%-%TIME% Sysmon found, checking version IF "%CHECK_SYSMON_VERSION%" == "1" ( ECHO %DATE%-%TIME% Sysmon already up to date, exiting ENDLOCAL EXIT ) ELSE ( ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing IF EXIST %WINDIR%\sysmon.exe ( %WINDIR%\sysmon.exe -u ) ) ) ELSE ( ECHO %DATE%-%TIME% Sysmon not found, proceding to install ECHO %DATE%-%TIME% Copying the latest config file COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\" ECHO %DATE%-%TIME% Installing Sysmon "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL ECHO %DATE%-%TIME% Install complete! ENDLOCAL EXIT ) ECHO %DATE%-%TIME% Install failed ) ENDLOCAL
that is correct. Both, config and installation must be there..
about script and your environment, you can test it first on your windows station, when you confirm that work in both case (deploy and update), you can test it from splunk..
ofc. take care of path when you test it on system
Thank you for the reply.
The installation files are contained in the "TA-Sysmon-deploy" app in the Splunk UF directory. Is that correct or did I misunderstanding your comment?