Splunk Enterprise

How to install Splunk UFs to Windows centralized and securely?

Zhanali
Path Finder

Hi, all! We want to install Splunk UFs to about 200 Windows Servers, process should be centralized and secured.
1. We tried install by .bat script with required fields as LOGON_USERNAME, LOGON_PASSWORD and etc. But therein lies the problem, anyone can see user credentials.
2. Then we tried change .msi installer file properties, but here is the same problem, anyone can open .msi file with msi redactor and see credentials.

We want to install Splunk UF centralized and so that no one can see/get credentials.

Can you recommend any way to realize this process?

Labels (1)
0 Karma
1 Solution

Zhanali
Path Finder

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

View solution in original post

0 Karma

Zhanali
Path Finder

Hi all! We solved this problem with a powershell script with PSSession. You can change according to your requirements. I will be glad if this solution helps anyone!

 

#
#Prerequsites:
#-Powershell modules for AD
#-Firewall access via ports tcp\5985 and tcp\5986
#-Computer Administrator permissions on remote host
#-Upgrade Powershell to latest version


#CHANGE THE COMPUTER LIST BY REQUIREMENT
#SELECT BY NAME:
#$L3 = Get-ADComputer -Filter {Name -eq 'Computer_1' -or Name -eq 'Computer_2'} | select Name 
#SELECT BY OU:
$L3 = Get-ADComputer -Filter * -SearchBase "OU=windows-pc, DC=it, DC=com" | select Name

$missed = @()
$folder = @()
$manual = @()
$installed = @()
$report = @()

$L3 = $L3.Name
$count = 0
$count = $L3.Count
Write-Host "Ready to start on $count computers"
Write-Host ""
foreach ($line in $L3)
{
    $obj = New-Object -TypeName psobject
    $pssession = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
    if ($pssession)
    {
        Write-Host "Checking host $line"
        $check = Invoke-Command -Session $pssession -ScriptBlock {$service = Get-CimInstance Win32_Service -Filter 'Name = "SplunkForwarder"' | select SystemName, Name, PathName, Status, State; New-Object -TypeName PSCustomObject -Property @{SystemName = $service.SystemName; Name = $service.Name; PathName = $service.PathName; Status = $service.Status; State = $service.State }} -ErrorAction SilentlyContinue
        if($check)
        {
             
            if($check.PathName -notlike "*C:\*" -and $check.PathName -ne $null)
            {
                    
                $folder += $line
            }
            if($check.PathName -eq $null)
            {
                $missed += $line
            }
            if ($check.PathName -like "*C:\Program Files\SplunkUniversalForwarder*")
            {
                $installed_version = Invoke-Command -Session $pssession -ScriptBlock { C:\windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" version }
            }
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "ComputerName" -Value $check.PSComputerName
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Service" -Value $check.Name
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Status" -Value $check.Status
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "State" -Value $check.State
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Version" -Value $installed_version
            Add-Member -InputObject $obj -MemberType NoteProperty -Name "Path" -Value $check.PathName

            $report += $obj
        
        }
 
        Remove-PSSession $pssession
    }
    else
    {
        $manual += $line
    }
}

$report | select * | ft

Write-Host "Missed SplunkForwarder :" -ForegroundColor Yellow 
$missed
if ($missed)
{
    Write-Host "Would you like to install Splunk Forwarder to the missed computers?[yes/no]"
    $answer = Read-Host
    if ($answer -eq "yes")
    {
		#ENTER DOMAIN USER CREDENTIALS WHO WILL RUN SPLUNK FORWARDER
		$user = Read-Host "Enter domain user name on format domain\username"
		$securePwd = Read-Host "Enter password of domain user" -AsSecureString
		$pass =[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePwd))
		
        foreach ($line in $missed)
        {
			$Session = New-PSSession -ComputerName $line -ErrorAction SilentlyContinue
            if ($Session)
            {
				Write-Host ""
                #CHANGE FILE LOCATION IF REQUIRED
				Write-Host "Copy to host $line"
                Copy-Item -Path \\<your_domain>\SYSVOL\<your_domain>\splunk\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi -Destination "C:\Users\Public\Documents" -ToSession $Session
				Write-Host "Installing to host $line"
                Invoke-Command -Session $Session -ScriptBlock {
					Start-Process -FilePath "$env:systemroot\system32\msiexec.exe" -ArgumentList "/i `"C:\Users\Public\Documents\splunkforwarder-9.0.4-de405f4a7979-x64-release.msi`" LOGON_USERNAME=`"$using:user`" LOGON_PASSWORD=`"$using:pass`" SPLUNKUSERNAME=admin DEPLOYMENT_SERVER=`"<deployment_server_IP>:8089`" AGREETOLICENSE=yes GENRANDOMPASSWORD=1 /quiet" -Wait
				}
                #Invoke-Command -Session $Session -ScriptBlock { Start-Service SplunkForwarder }
                Remove-PSSession $Session
            }
        }
    }
}

Write-Host ""
Write-Host "Installed to D drive SplunkForwarder :" -ForegroundColor White -BackgroundColor DarkBlue
$folder 

Write-Host ""
Write-Host "Check Manualy :" -ForegroundColor White -BackgroundColor Red
$manual

Write-Host ""
Write-Host ""
Write-Host ""
read-host "Press ENTER to end work..."

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...