By Splunk June 02, 2014
One of our avid twitter followers asked how to reliably install the Splunk Universal Forwarder on a Windows host with PowerShell last week. I’ve posted about all the intricacies involved before but improvements in open-source tools for PowerShell have made it a whole lot easier. You can take a look at the original article, but follow along here instead. We’re going to walk through what’s involved.
Installing as a Local SYSTEM user is easy. Here is the recipe:
Invoke-Command –ComputerName S1,S2,S3 –ScriptBlock { `
New-PSDrive S –Root \\SPLUNK\Files -PSProvider FileSystem; `
Start-Process S:\splunkforwarder-6.1.1-207789-x64-release.msi `
–Wait -Verbose –ArgumentList (`
“AGREETOLICENSE=`”Yes`””, `
“DEPLOYMENT_SERVER=`”SPLUNKDEPLOY:8089`”” `
“/Liwem!”, “C:\splunkinstall.log” ) `
}
Let’s recap what you need to do to install a Splunk Universal Forwarder on a Windows host as a domain user:
- Add a new service account for the domain user
- Prepare the host to run Splunk
- Install the Splunk Universal Forwarder with the MSI
Step 1 can be a one-time activity if you run all your Splunk Universal Forwarders as the same user, so let’s do that first. In PowerShell 3, there are Active Directory domain utilities. I like to place my service accounts in an organizational unit called “OU=Service Accounts” off the top-level domain structure. You can use the following command:
New-ADUser –Name svc_splunk –SamAccountName svc_splunk `
-Description “Service:Splunk UF” `
–DisplayName “Service:Splunk UF” `
-Path “OU=Service Accounts,DC=splk,DC=com” `
-AccountPassword (Read-Host –AsSecureString “Account Password”) `
-CannotChangePassword:$true `
–ChangePasswordAtLogon:$false `
-PasswordNeverExpires:$true `
–PasswordNotRequired:$false `
-SmartcardLogonRequired:$false `
–Enabled:$true
This is fairly basic stuff for the modern domain admin – the important thing to note is you are prompted for a password – you will need it later. Aside from that, you may need to open up some firewall holes if you have the Windows Firewall enabled – port 8089 and 9997 (or whatever your receiving port is) on the outbound side. If I need to do it, I do it everywhere via a group policy.
Now comes the complicated part. Preparing the host to run Splunk means giving the svc_splunk user a lot of privileges. Specifically, you need to add the user to the Administrators group and give the user specific OS-level rights. This used to be really complicated, but we are going to simplify it by utilizing a set of open-source utilities called Carbon (you can download Carbon at http://get-carbon.org). Download the Carbon package and install them as directed on the website. I placed mine in my WindowsPowerShell\Modules directory so that they are always available. They are that useful.
Let’s take a look at adjusting those permissions the new way. First up is adding my service account to the Administrators group. This was already fairly easy, but with Carbon it’s even easier:
Add-GroupMember –Name “Administrators” –Member DOMAIN\svc_splunk
Adjusting the local security policy used to keep me up at night. It was fraught with peril. With Carbon, this is now easy:
Grant-Privilege –Identity DOMAIN\svc_splunk –Privilege `
( SeTcbPrivilege, SeChangeNotifyPrivilege, SeBatchLogonRight, `
SeServiceLogonRight, SeAssignPrimaryTokenPrivilege )
The only gotcha here is that the privileges are case-sensitive, so be careful. Once we have done this, we have completed the host preparation. Now all we need to do is to install the binaries and install the service. I do this via the MSI installer with:
New-PSDrive –Name S –Root \\SPLUNK\Files -PSProvider FileSystem
Start-Process S:\splunkforwarder-6.1.1-207789-x64-release.msi `
–Wait -Verbose –ArgumentList (`
“AGREETOLICENSE=`”Yes`””, `
“LOGON_USERNAME=`”DOMAIN\svc_splunk`””, `
“LOGON_PASSWORD=`”MyPasswordHere`””, `
“DEPLOYMENT_SERVER=`”SPLUNKDEPLOY:8089`”” `
“/Liwem!”, “C:\splunkinstall.log” )
Note that I put the complete fully-qualified path to the MSI here – it’s important. The msiexec seems to break without it. I also set up a CNAME in DNS for the deployment server – it allows me to point it anywhere I want. This is the same command I install as a local system user, but with the additional parameters to specify the domain user.
Script it? Why, certainly. I just put the commands (including an “Import-Module Carbon”) into a ps1 script and put it on \\SPLUNK\Files. Now I can do this:
Invoke-Command –ComputerName S1,S2,S3 –ScriptBlock { `
New-PSDrive –Name S –Root \\SPLUNK\Files -PSProvider FileSystem; `
S:\InstallUniversalForwarder.ps1 }
There is a future here. Desired State Config is a newer feature available in PowerShell v4. We can check permissions, file locations, and service settings and both install and upgrade within a single entity. That, however, is a topic for another blog post.