Getting Data In

TA-Sysmon-deploy: Issue with deploy.bat

kwasielewski
Path Finder

I am attempting to use the "TA-Sysmon-deploy" Splunkbase app to deploy and maintain Sysmon on our endpoints. I've noticed that the script which checks for sysmon then installs it does run correctly. It always results in a "sysmon not found" situation and re-installs it. This is expected activity if the script does not see sysmon running or it detects is out of date. Nonetheless, the script completes each time by installing sysmon again and again, even thought the host has the proper version of sysmon installed and running.

The peculiar thing here is that it works correctly if I run the batch script manually from an Admin (as system) command prompt but not when run by the Splunk Universal Forwarder. I've added an Echo statement so I can the check script variables just before they go into the deployment IF statements. Theyare correct when manually run but are not when executed by Splunk.

Any comments or suggestions would be helpful. I have included sample logs and the script below.


Thank you,

Ken


sysmon.log when Splunk runs the batch file via input setting.

Thu 09/10/2020- 9:19:40.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Thu 09/10/2020- 9:19:40.03 Checking for Sysmon
CHECK_SYSMON_VERSION=""
CHECK_SYSMON_RUNNIG=""
Thu 09/10/2020- 9:19:40.03 Sysmon not found, proceding to install
Thu 09/10/2020- 9:19:40.03 Copying the latest config file
0% copied
100% copied 1 file(s) copied.
Thu 09/10/2020- 9:19:40.03 Installing Sysmon
Thu 09/10/2020- 9:19:40.03 Install complete!


sysmon.log when run from and Admin command prompt (as "system")

Wed 09/09/2020- 9:08:59.03 The SplunkUniversalForwarder is installed at C:\Program Files\SplunkUniversalForwarder
Wed 09/09/2020- 9:08:59.03 Checking for Sysmon
CHECK_SYSMON_RUNNIG="1"
CHECK_SYSMON_VERSION="1"
Wed 09/09/2020- 9:08:59.03 Sysmon found, checking version
Wed 09/09/2020- 9:08:59.03 Sysmon already up to date, exiting

Here is the script from the deploy.bat file. This batch file is part of "TA-Sysmon-deploy" from Splunkbase. I have added the following to the script while troubleshooting.

- SETLOCAL and ENDLOCAL: removes any outside the script variable influences
- Enclosed the version check FOR statement in an IF EXIST clause, the script seemed to error out if sysmon.exe did not exist)
- added variable output "echo" statements so I can see the variable in the logs just before the IF statements.

TA's deploy.bat file

 

 

ECHO OFF

SETLOCAL

FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i
SET SPLUNKPATH=%SPLUNKDPATH:~1,-28%

>> %WINDIR%\sysmon.log (
ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH%
ECHO %DATE%-%TIME% Checking for Sysmon

FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO (
    SET CHECK_SYSMON_RUNNIG=%%c
)

IF EXIST %WINDIR%\sysmon.exe (
FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO (
    SET CHECK_SYSMON_VERSION=%%b
)
)

ECHO CHECK_SYSMON_VERSION="%CHECK_SYSMON_VERSION%"
ECHO CHECK_SYSMON_RUNNIG="%CHECK_SYSMON_RUNNIG%"

if "%CHECK_SYSMON_RUNNIG%" == "1" (
    ECHO %DATE%-%TIME% Sysmon found, checking version
    IF "%CHECK_SYSMON_VERSION%" == "1" (
        ECHO %DATE%-%TIME% Sysmon already up to date, exiting
	ENDLOCAL
        EXIT
    ) ELSE (
        ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing
        IF EXIST %WINDIR%\sysmon.exe (
            %WINDIR%\sysmon.exe -u
        )
    )
) ELSE (
    ECHO %DATE%-%TIME% Sysmon not found, proceding to install
    ECHO %DATE%-%TIME% Copying the latest config file
    COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\"
    ECHO %DATE%-%TIME% Installing Sysmon
    "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL
    ECHO %DATE%-%TIME% Install complete!
    ENDLOCAL    
    EXIT
)
ECHO %DATE%-%TIME% Install failed
)
ENDLOCAL
Labels (1)
Tags (2)
0 Karma

vmicovic2
Explorer

that is correct. Both, config and installation must be there..

about script and your environment, you can test it first on your windows station, when you confirm that work in both case (deploy and update), you can test it from splunk..

ofc. take care of path when you test it on system

0 Karma

vmicovic2
Explorer

hi, you must add sysmon installation in splunk app locally (from where splunk push installation to clients).

 

kwasielewski
Path Finder

Hi,

Thank you for the reply. 

The installation files are contained in the "TA-Sysmon-deploy"  app in the Splunk UF directory.  Is that correct or did I misunderstanding your comment? 

"%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe"

 

Ken

0 Karma

ali-tavakoli
New Member

you should use SETLOCAL ENABLEDELAYEDEXPANSION instead of SETLOCAL and change your code to  this:

ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION

FOR /F "delims=" %%i IN ('wmic service SplunkForwarder get Pathname ^| FINDSTR /m service') DO SET SPLUNKDPATH=%%i
SET SPLUNKPATH=%SPLUNKDPATH:~1,-28%

>> %WINDIR%\sysmon.log (
ECHO %DATE%-%TIME% The SplunkUniversalForwarder is installed at %SPLUNKPATH%
ECHO %DATE%-%TIME% Checking for Sysmon

FOR /F "delims=" %%c IN ('sc query "Sysmon" ^| FIND /c "RUNNING"') DO (
SET CHECK_SYSMON_RUNNIG=%%c
)

IF EXIST %WINDIR%\sysmon.exe (
FOR /F "delims=" %%b IN ('c:\windows\sysmon.exe ^| FIND /c "System Monitor v11.11"') DO (
SET CHECK_SYSMON_VERSION=%%b
)
)

ECHO CHECK_SYSMON_VERSION=!CHECK_SYSMON_VERSION!
ECHO CHECK_SYSMON_RUNNIG=!CHECK_SYSMON_RUNNIG!


if "!CHECK_SYSMON_RUNNIG!" == "1" (
ECHO %DATE%-%TIME% Sysmon found, checking version
IF "!CHECK_SYSMON_VERSION!" == "1" (
ECHO %DATE%-%TIME% Sysmon already up to date, exiting
ENDLOCAL
EXIT
) ELSE (
ECHO %DATE%-%TIME% Sysmon binary is outdated, un-installing
IF EXIST %WINDIR%\sysmon.exe (
%WINDIR%\sysmon.exe -u
)
)
) ELSE (
ECHO %DATE%-%TIME% Sysmon not found, proceding to install
ECHO %DATE%-%TIME% Copying the latest config file
COPY /z /y "%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\config.xml" "C:\windows\"
ECHO %DATE%-%TIME% Installing Sysmon
"%SPLUNKPATH%\etc\apps\TA-Sysmon-deploy\bin\sysmon.exe" /accepteula -i c:\windows\config.xml | Find /c "Sysmon installed" 1>NUL
ECHO %DATE%-%TIME% Install complete!
ENDLOCAL
EXIT
)
ECHO %DATE%-%TIME% Install failed
)
ENDLOCAL

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!