When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs to a Splunk Indexer.
These are the general steps we will need to perform to complete this task:
- Download the Splunk UF MSI
- Download the Orca Software
- Create an MST File
- Deploy GPO
Once you have all the software downloaded, install and open Orca first, then from the Orca file menu, select file > open and navigate to where you have the Splunk UF MSI file. After the file loads, select Transform > New Transform. Next, select the ‘Property‘ table in the left pane. In the right pane, change the ‘AGREETOLICENSE‘ value to Yes.
Right-click in the right pane and select ‘Add Row‘. The properties that need to be created are:
SPLUNKUSERNAME=splunk_admin
SPLUNKPASSWORD=stRongPassword
DEPLOYMENT_SERVER=ds.fakelabs.io:8089
If you decide you want to create a domain user then also create:
LOGON_USERNAME=Splunk
LOGON_PASSWORD=stRongPassword
The results should look similar to the image below.
When you are satisfied with the results remember to select Transform > Generate Transform to save the MST file. The MST file that was generated for me was about 20KB.
Keep in mind that you need to protect the credentials in this file since anyone using it can manipulate your forwarders using the management API. I created a Splunk App called disableWebAPI in my git repository that disables this port.
Copy the MST file and the Splunk UF installer to a file share that is accessible by the Domain Controller, and the endpoints that are receiving the software package. Since this is my lab environment, I created a shared folder on my Domain Controller called DeploymentSoftware.
Login to your Domain Controller and use group policy management to create a new GPO, I called mine DeploySPlunkUF. Select Computer Configuration > Software Settings > Software Installation and be sure the radio button for Advanced is selected.
Under the modifications tab select ‘Add‘ and navigate to where you copied the MST file. Leave the other tabs at their default values unless you have other operational requirements.
Once you are complete you should see the name of your package and the UNC path to the Splunk UF installer. This UNC path needs to be accessible by all hosts that you intend to deploy the UF on.
Your file share should have ‘Domain Computers‘ with ‘Read‘ permissions or the software package will not install. Remember your MST file has unprotected credentials inside so double check your access controls if you decide to have the MST file colocated with the installer.
Copy the GPO to the OU that you want to be affected and when those machines restart the GPO will be applied.
If you do not see the screen in the image above or any screen that delays the login process, then check to see if the UF is installed. If the UF is not installed, then run ‘gpupdate /force’ as an administrator. You should also double-check your permissions on the Shared Folder that contains the Splunk UF.
This came in handy for a site I visited that didn’t have Microsoft System Center Configuration Manager (SCCM) so we had to find an alternate method to deploy the Splunk UF across the enterprise.
Thanks for reading.
Do you not find it alarming that you are putting a password in a file that is domain accessible for an application that is basically a root kit?
Scotty, great question. I do warn that you should have different access controls on the share containing the MST file. There will be a period of vulnerability while the software is being deployed if you choose to colocate the MST and MSI. Once the Universal Forwarders are deployed you no longer need the installer or the MST file available in the file share.
Thanks for the reply and the article!
is it posible not restart client? How to deliver a UF to a lot of machine without their restarting?
Arman, if you are deploying using a GPO you will have to reboot. Another option is to install using a scheduled task and push that scheduled task out via GPO.
Hi Michael, Thanks for the post, my question is where to put disableWebAPI app. Regards Sam
Samir, you place disableWebAPI under: $SPLUNK_HOME/etc/apps or you can use the splunk web UI to install the app. If you have a deployment server then you would put it under $SPLUNK_HOME/etc/deployment-apps I hope that helps.
hi Michael,
i came across your post and trying your instruction deploying the SplunkUF on windows via GPO but fail in the last step.. i can install 7zip via the gpo to the windows but it doesnot work for the SplunkUF..(the 7zip installation file placed in the same share folder that contains the splunkuf installation file and the mst file) the splunkuf installation file only exist on “install a program from the network”..do you have any idea which part i should pay more attention to troubleshoot?
thanks.
Will,
If you can install 7zip successfully, I suspect your MST file does not have the AGREETOLICENSE set to YES. This would stop Splunk from installing. The MST file isn’t readable, so I would carefully redo the MST file and follow the steps again.