Getting Data In

Create scripted input for Splunk to pull list of installed Firefox Add-Ons from user profiles

tbalouch
Path Finder

Hi Guys,

I want to be able to create a powershell scripted input that would list all the Firefox Add-Ons installed in a user profile on a windows machine. I currently have forwarders on all the machines I would like to accomplish this on. Would anyone know how I can start this ?

1 Solution

halr9000
Motivator

(Posting a new answer based on your comment.)

PowerShell v2 doesn't have the ConvertFrom-Json cmdlet, and the PowerShell Addon actually requires version 3 as well. Therefore, your next best bet might be to skip scripting altogether and instead just use a regular Splunk file monitor for the json files. You can specify a wildcard in the path, so it will work with the Firefox profile specification. That would work to gather all addons.json files from all profiles, provided the Splunk Forwarder service account has the permission to read the files of course.

Inputs.conf might look like this:

[monitor://C:\Users\*\AppData\Roaming\mozilla\firefox\profiles\*.default\addons.json]

This would need testing, I think there are some gotchas on Windows wildcard support.

Then in Splunk, you can parse the JSON at search time.

Not to say you can't do it in PowerShell, but to parse JSON, you'd need to either do some very heavy regular expressions, or use an external .NET JSON parsing library that works in .NET v2 (which I've done before long ago). Neither is a great option. Better to upgrade to PS v3. 🙂

View solution in original post

halr9000
Motivator

(Posting a new answer based on your comment.)

PowerShell v2 doesn't have the ConvertFrom-Json cmdlet, and the PowerShell Addon actually requires version 3 as well. Therefore, your next best bet might be to skip scripting altogether and instead just use a regular Splunk file monitor for the json files. You can specify a wildcard in the path, so it will work with the Firefox profile specification. That would work to gather all addons.json files from all profiles, provided the Splunk Forwarder service account has the permission to read the files of course.

Inputs.conf might look like this:

[monitor://C:\Users\*\AppData\Roaming\mozilla\firefox\profiles\*.default\addons.json]

This would need testing, I think there are some gotchas on Windows wildcard support.

Then in Splunk, you can parse the JSON at search time.

Not to say you can't do it in PowerShell, but to parse JSON, you'd need to either do some very heavy regular expressions, or use an external .NET JSON parsing library that works in .NET v2 (which I've done before long ago). Neither is a great option. Better to upgrade to PS v3. 🙂

halr9000
Motivator

Sorry, no more time to poke around. Must be a different Windows and/or Firefox version. I suggest finding some firefox-specific resources, then come back here for how to use what you learned in Splunk.

tbalouch
Path Finder

This is actually very strange. I can't find the file that lists all the plugins installed for useres anywhere inside of firefox. Any ideas?

0 Karma

tbalouch
Path Finder

Wow this is great. I was in the process of creating a props.conf and setting this up however i noticed. My desktop doesn't even have a addons.json file. Would there be another file that would have the addon data by any chance?

0 Karma

halr9000
Motivator

First step is to figure out how to do this from the command-line. Looks like the extensions/addons are defined in a JSON file in the user's default profile. The JSON is easy to parse in PowerShell (or Splunk).

Second step is to be sure that the Splunk Addon for Microsoft PowerShell is on all your forwarders. That makes it much easier to invoke PowerShell statements or scripts from inputs.conf.

Here is part of your solution:

$defaultProfilePath = "$env:appdata\mozilla\firefox\profiles\*.default\" # only one should end in "default"
$addonFile = Join-Path -Path $defaultProfilePath -ChildPath "addons.json"

# Read files from JSON and convert to PowerShell objects
# You should put these inside try/catch to handle file not found and output intelligent error to Splunk
$a = Get-Content $addonFile | ConvertFrom-Json

# Write a timestamp (Windows doesn't specify timezone unless you force it, so let's be unambiguous and convert to UTC)
Write-Output (get-date).ToUniversalTime().ToString("u")

# List Addon data
$a.addons | Format-Table name,type,version,id

I just wrote output using Format-Table, which can then be parsed in Splunk using multikv. It would be much simpler at search time in Splunk if you instead use key-value pairs. That's easily done in PowerShell, just make a Foreach-Object loop and build your string in there.

Note that plug-ins (binary code) are not in this list, they are in a file called pluginreg.dat. That file is a bit harder to parse, but certainly doable.

HTH

0 Karma

tbalouch
Path Finder

Any other way to do this without PS 3.0?

0 Karma

halr9000
Motivator

Ahh, bummer! The Addon also requires PS 3.0, so that won't work. Maybe stop by #powershell on FreeNode or Powershell.org forums sometime to chat about making that upgrade happen.

0 Karma

tbalouch
Path Finder

Thanks so much for the detailed answer! Unfortunately the systems I'm supporting are running Powershell 2.0 and are unable to upgrade to Powershell 3.0. That means I won't be able to use the ConvertFrom-Json cmdlet. I get the error "The term 'ConvertFrom-Json' is not recognized as the name of a cmdlet, function, script file, or operable program." I know you mentioned it was possible to parse the json file in Splunk. Would I still need the Powershell addon? Also would you be able to show me and example on how it can be done in Splunk?

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...