TA-Sysmon-deploy: Issue with deploy.bat

Path Finder

I am attempting to use the "TA-Sysmon-deploy" Splunkbase app to deploy and maintain Sysmon on our endpoints. I've noticed that the script which checks for sysmon then installs it does run correctly. It always results in a "sysmon not found" situation and re-installs it. This is expected activity if the script does not see sysmon running or it detects is out of date. Nonetheless, the script completes each time by installing sysmon again and again, even thought the host has the proper version of sysmon installed and running.

The peculiar thing here is that it works correctly if I run the batch script manually from an Admin (as system) command prompt but not when run by the Splunk Universal Forwarder. I've added an Echo statement so I can the check script variables just before they go into the deployment IF statements. Theyare correct when manually run but are not when executed by Splunk.

Any comments or suggestions would be helpful. I have included sample logs and the script below.

sysmon.log when Splunk runs the batch file via input setting.

Thu 09/10/2020- 9:19:40.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Thu 09/10/2020- 9:19:40.03 Checking for Sysmon
Thu 09/10/2020- 9:19:40.03 Sysmon not found, proceding to install
Thu 09/10/2020- 9:19:40.03 Copying the latest config file
0% copied
100% copied 1 file(s) copied.
Thu 09/10/2020- 9:19:40.03 Installing Sysmon
Thu 09/10/2020- 9:19:40.03 Install complete!

sysmon.log when run from and Admin command prompt (as "system")

Wed 09/09/2020- 9:08:59.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Wed 09/09/2020- 9:08:59.03 Checking for Sysmon
Wed 09/09/2020- 9:08:59.03 Sysmon found, checking version
Wed 09/09/2020- 9:08:59.03 Sysmon already up to date, exiting

Here is the script from the deploy.bat file. This batch file is part of "TA-Sysmon-deploy" from Splunkbase. I have added the following to the script while troubleshooting.

- SETLOCAL and ENDLOCAL: removes any outside the script variable influences
- Enclosed the version check FOR statement in an IF EXIST clause, the script seemed to error out if sysmon.exe did not exist)
- added variable output "echo" statements so I can see the variable in the logs just before the IF statements.

TA's deploy.bat file





FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i

>> %WINDIR%\sysmon.log (
ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH%
ECHO %DATE%-%TIME% Checking for Sysmon

FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO (

IF EXIST %WINDIR%\sysmon.exe (
FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO (


if "%CHECK_SYSMON_RUNNIG%" == "1" (
    ECHO %DATE%-%TIME% Sysmon found, checking version
    IF "%CHECK_SYSMON_VERSION%" == "1" (
        ECHO %DATE%-%TIME% Sysmon already up to date, exiting
    ) ELSE (
        ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing
        IF EXIST %WINDIR%\sysmon.exe (
            %WINDIR%\sysmon.exe -u
) ELSE (
    ECHO %DATE%-%TIME% Sysmon not found, proceding to install
    ECHO %DATE%-%TIME% Copying the latest config file
    COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\"
    ECHO %DATE%-%TIME% Installing Sysmon
    "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL
    ECHO %DATE%-%TIME% Install complete!
ECHO %DATE%-%TIME% Install failed
that is correct. Both, config and installation must be there..

about script and your environment, you can test it first on your windows station, when you confirm that work in both case (deploy and update), you can test it from splunk..

ofc. take care of path when you test it on system

hi, you must add sysmon installation in splunk app locally (from where splunk push installation to clients).


Thank you for the reply. 

The installation files are contained in the "TA-Sysmon-deploy"  app in the Splunk UF directory.  Is that correct or did I misunderstanding your comment? 




