Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to install Splunk UFs to Windows centralized and securely?

Zhanali
Path Finder
‎05-03-2023 08:33 PM

Hi, all! We want to install Splunk UFs to about 200 Windows Servers, process should be centralized and secured.
1. We tried install by .bat script with required fields as LOGON_USERNAME, LOGON_PASSWORD and etc. But therein lies the problem, anyone can see user credentials.
2. Then we tried change .msi installer file properties, but here is the same problem, anyone can open .msi file with msi redactor and see credentials.

We want to install Splunk UF centralized and so that no one can see/get credentials.

Can you recommend any way to realize this process?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:00 PM

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:00 PM

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...