Splunk Enterprise

How to install Splunk UFs to Windows centralized and securely?

Zhanali
Path Finder

Hi, all! We want to install Splunk UFs to about 200 Windows Servers, process should be centralized and secured.
1. We tried install by .bat script with required fields as LOGON_USERNAME, LOGON_PASSWORD and etc. But therein lies the problem, anyone can see user credentials.
2. Then we tried change .msi installer file properties, but here is the same problem, anyone can open .msi file with msi redactor and see credentials.

We want to install Splunk UF centralized and so that no one can see/get credentials.

Can you recommend any way to realize this process?

Labels (1)
0 Karma
1 Solution

Zhanali
Path Finder

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

View solution in original post

0 Karma

Zhanali
Path Finder

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...