TIPS & TRICKS

Install Splunk with PowerShell (2014 Edition)

One of our avid twitter followers asked how to reliably install the Splunk Universal Forwarder on a Windows host with PowerShell last week. I’ve posted about all the intricacies involved before but improvements in open-source tools for PowerShell have made it a whole lot easier. You can take a look at the original article, but follow along here instead. We’re going to walk through what’s involved.

Installing as a Local SYSTEM user is easy. Here is the recipe:

Invoke-Command –ComputerName S1,S2,S3 –ScriptBlock { `
New-PSDrive S –Root \\SPLUNK\Files -PSProvider FileSystem; `
Start-Process S:\splunkforwarder-6.1.1-207789-x64-release.msi `
    –Wait -Verbose –ArgumentList (`
        “AGREETOLICENSE=`”Yes`””, `
        “DEPLOYMENT_SERVER=`”SPLUNKDEPLOY:8089`”” `
        “/Liwem!”, “C:\splunkinstall.log” ) `
}

Let’s recap what you need to do to install a Splunk Universal Forwarder on a Windows host as a domain user:

  1. Add a new service account for the domain user
  2. Prepare the host to run Splunk
  3. Install the Splunk Universal Forwarder with the MSI

Step 1 can be a one-time activity if you run all your Splunk Universal Forwarders as the same user, so let’s do that first. In PowerShell 3, there are Active Directory domain utilities. I like to place my service accounts in an organizational unit called “OU=Service Accounts” off the top-level domain structure. You can use the following command:

New-ADUser –Name svc_splunk –SamAccountName svc_splunk `
    -Description “Service:Splunk UF” `
    –DisplayName “Service:Splunk UF” `
    -Path “OU=Service Accounts,DC=splk,DC=com” `
    -AccountPassword (Read-Host –AsSecureString “Account Password”) `
    -CannotChangePassword:$true `
    –ChangePasswordAtLogon:$false `
    -PasswordNeverExpires:$true `
    –PasswordNotRequired:$false `
    -SmartcardLogonRequired:$false `
    –Enabled:$true

This is fairly basic stuff for the modern domain admin – the important thing to note is you are prompted for a password – you will need it later. Aside from that, you may need to open up some firewall holes if you have the Windows Firewall enabled – port 8089 and 9997 (or whatever your receiving port is) on the outbound side. If I need to do it, I do it everywhere via a group policy.

Now comes the complicated part. Preparing the host to run Splunk means giving the svc_splunk user a lot of privileges. Specifically, you need to add the user to the Administrators group and give the user specific OS-level rights. This used to be really complicated, but we are going to simplify it by utilizing a set of open-source utilities called Carbon (you can download Carbon at http://get-carbon.org). Download the Carbon package and install them as directed on the website. I placed mine in my WindowsPowerShell\Modules directory so that they are always available. They are that useful.

Let’s take a look at adjusting those permissions the new way. First up is adding my service account to the Administrators group. This was already fairly easy, but with Carbon it’s even easier:

Add-GroupMember –Name “Administrators” –Member DOMAIN\svc_splunk

Adjusting the local security policy used to keep me up at night. It was fraught with peril. With Carbon, this is now easy:

Grant-Privilege –Identity DOMAIN\svc_splunk –Privilege `
    ( SeTcbPrivilege, SeChangeNotifyPrivilege, SeBatchLogonRight, `
    SeServiceLogonRight, SeAssignPrimaryTokenPrivilege )

The only gotcha here is that the privileges are case-sensitive, so be careful. Once we have done this, we have completed the host preparation. Now all we need to do is to install the binaries and install the service. I do this via the MSI installer with:

New-PSDrive –Name S –Root \\SPLUNK\Files -PSProvider FileSystem
Start-Process S:\splunkforwarder-6.1.1-207789-x64-release.msi `
    –Wait -Verbose –ArgumentList (`
        “AGREETOLICENSE=`”Yes`””, `
        “LOGON_USERNAME=`”DOMAIN\svc_splunk`””, `
        “LOGON_PASSWORD=`”MyPasswordHere`””, `
        “DEPLOYMENT_SERVER=`”SPLUNKDEPLOY:8089`”” `
        “/Liwem!”, “C:\splunkinstall.log” )

Note that I put the complete fully-qualified path to the MSI here – it’s important. The msiexec seems to break without it. I also set up a CNAME in DNS for the deployment server – it allows me to point it anywhere I want. This is the same command I install as a local system user, but with the additional parameters to specify the domain user.
Script it? Why, certainly. I just put the commands (including an “Import-Module Carbon”) into a ps1 script and put it on \\SPLUNK\Files. Now I can do this:

Invoke-Command –ComputerName S1,S2,S3 –ScriptBlock { `
    New-PSDrive –Name S –Root \\SPLUNK\Files -PSProvider FileSystem; `
    S:\InstallUniversalForwarder.ps1 }

There is a future here. Desired State Config is a newer feature available in PowerShell v4. We can check permissions, file locations, and service settings and both install and upgrade within a single entity. That, however, is a topic for another blog post.

Splunk
Posted by

Splunk

Join the Discussion