Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to install Splunk UFs to Windows centralized and securely?

Zhanali
Path Finder
‎05-03-2023 08:33 PM

Hi, all! We want to install Splunk UFs to about 200 Windows Servers, process should be centralized and secured.
1. We tried install by .bat script with required fields as LOGON_USERNAME, LOGON_PASSWORD and etc. But therein lies the problem, anyone can see user credentials.
2. Then we tried change .msi installer file properties, but here is the same problem, anyone can open .msi file with msi redactor and see credentials.

We want to install Splunk UF centralized and so that no one can see/get credentials.

Can you recommend any way to realize this process?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:00 PM

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Zhanali
Path Finder
‎05-10-2023 09:00 PM

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...