Install and configure Splunk Universal forwarder using Powershell DSC for SplunkCloud.com. Contains additional script functions to manage the Universal Fowarder as well as configure DNS Debug Logging.
Set-Executionpolicy -ExecutionPolicy RemoteSigned
.
$cred = (get-credential)
Step Summary: Obtain a list of systems where Splunk UniversalForwarder needs to be installed and/or upgraded
You can utilize the Get-GVRSecurityToolsinstallStatus function in the GVRSecurityModule to identify the installation status of Splunk and CarbonBlack.
Note: This function queries the WMI class win32_product for each system.
Depending on the length of time that it takes to list all installed applications and network connectivity, this command may take a considerable length of time for some systems. Please be patient. There are other options that are faster if you feel you need to speed things up.
Example 1: To query all DC’s in the domain “child.domain.local”
$dclist = get-addomain child.domain.local | % replicadirectoryservers
$status = Get-GVRSecurityToolsInstallStatus -Computername $dclist -Credential $cred -Verbose
$status | export-csv C:\temp\securitytoolstatus.csv -NoTypeInformation
Example 2: Query only a specific host
$status = Get-GVRSecurityToolsInstallStatus -Computername dc01.domain.local -Credential $cred -Verbose
$status | FT -auto
Example 3: List only the hosts that do not have the SplunkUniversalForwarder installed
$status = Get-GVRSecurityToolsInstallStatus -Computername $dclist -Credential $cred -Verbose
$notinstalled = $status | ? SplunkInstalled -like "False"
$notinstalled | ft -auto
Step Summary: Uninstall existing versions of Splunk Universal Fowarder
Currently the DSC installation resource does not perform an upgrade. To install the latest version of UniversalForward, please remove any previous versions.
You can utilize the function Uninstall-SplunkUniversalFowarder to automatically remove Splunk Universal Forwarder from a remote machine. Again, be aware that this uses the WMI class, win32_products and may take some period of time for it to complete. Please be patient.
Example: Remove splunk from a list of servers (1 per line) in a text file
$list = get-content C:\temp\listofserverstoremovesplunk.txt
Uninstall-SplunkUniveralFowarder -ComputerName $list -Credential $cred
Step Summary: Utilize DesiredStateConfiguration (DSC) to install and configure Splunk Universal Forwarder
Note:* Extract the .ps1 files in GVRSPlunkInstall.zip to a directory. This document examples will use C:\Temp\DSC as the base directory. All relative paths will assume that you are currently in the base directory where the scripts reside.
Having a basic understanding of PowerShell DSC will be helpful in troubleshooting any issues. Below are some resources that will provide basic information regarding DSC:
\\hostname.domain.com\DSC
Create 2 subfolders: DSCResources and Install
\\hostame.domain.com\DSC\DSCRescources
\\hostname.domain.com\DSC\Install
Set share permission. These DSC resources do not pass credentials for share access.
install-module PSDscResources
Get-Module PSDscResources -ListAvailable
\DSCResources
folder created earlierUse DSC to copy PSDscResources module to all target endpoints:
Notes: PowerShell DSC in push mode requires 2 steps to complete a deployment:
C:\temp\DSC\CopyDSCResources\myhost1.domain.local.mof
C:\temp\DSC\CopyDSCResources\myhost2.domain.local.mof
To review help and see Parameter requirements:
cd C:\Temp\DSC
get-help .\DSC_Splunk_CopyDSCResources.ps1 -Detailed
EXAMPLE:
cd C:\temp\DSC
# Define the source folder and systems on which to execute
$serverlist = get-content C:\temp\server_list.txt
$Path = '\\hostame.domain.com\DSC\DSCRescources'
# Execute the script to create the MOF files
.\DSC_Splunk_CopyDSCResources.ps1 -ComputerName $serverlist -Path $Path
Invoke the DSC configuration and copy the Module to all target endpoints.
EXAMPLE:
# Create the PSCredential object - local or domain credential with admin access to the endpoints
$cred = get-credential
# Start the DSC configuration.
Start-DscConfiguration .\CopyDSCResources\ -Credential $cred -Wait -Verbose -Force
Tips:
Universal Forwarder Install: Use DSC to copy the install files to the endpoints then install and configure Universal Forwarder
Create the MOF files for the DSC Installation Configuration:
cd C:\Temp\DSC
get-help .\DSC_Splunk_InstallSplunkUniversalForwarder.ps1 -Detailed
EXAMPLE:
cd C:\temp\dsc
# Set the variables for the required Parameters
$serverlist = get-content C:\temp\serverlist.txt
$cred = get-credential
# Full UNC path to the msi and spl files. Use SMB folder defined earlier
$msipath = '\\hostname.domain.com\DSC\Install\splunkforwarder-7.1.0-2e75b3406c5b-x64-release.msi'
$splpath = '\\hostname.domain.com\DSC\Install\splunkclouduf-14Jun2018.spl'
# Path to the temporary folder on the endpoint where you will copy and execute the files.
$destpath = 'C:\temp' # Warning: Do NOT include '\' at the end of the path
# Create the MOF Files in .\SplunkInstallation directory for each target endpoint
.\DSC_Splunk_InstallSplunk.ps1 -ComputerName $serverlist -MSIPath $msipath -DestinationPath $destpath -SPLPath $splpath
Install UniversalForwarder: Start DSC configuration:
Start-DscConfiguration .\SplunkInstallation -Credential $cred -Verbose -Wait -Force
Review output and address errors as needed.
Use these functions and scripts to validate Splunk UniversalForwarder connectivity to the SplunkCloud forward servers. Also use them to configure DNS Debug logging on remote systems and validate DNS debug settings.
# Validate splunk-forward servers as active or configured for remote hosts
Test-SplunkForwardServers -ComputerName host1.domain.com -Credential $cred
#Verify that DNS Debug Logging is configured
$list = get-addomain | % replicadirectoryservers
$logging =Get-GVRDNSDebugLogging -ComputerName $list -Credential $cred
$logging | ft -auto
#Set DNS Debug Logging on target endpoints using default settings
Set-GVRDNSDebugLogging -ComputerName myhost.domain.com -Credential $cred