trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remove inputsconf

Browse Source
This commit is contained in:
Chris Long
2020-08-05 13:38:46 -07:00
parent bcf4eff575
commit ec4c5d1483
2 changed files with 5 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
Vagrant/scripts/install-inputsconf.ps1
View File

@@ -1,37 +0,0 @@
# Purpose: Configures the inputs.conf for the Splunk forwarder on WEF to send events from the WEF channels
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Setting up Splunk Inputs for Sysmon"
$inputsPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf"
$currentContent = get-content $inputsPath
$targetContent = get-content c:\vagrant\resources\splunk_forwarder\inputs.conf
if ($currentContent -ne $targetContent)
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Stopping the Splunk forwarder"
try {
Stop-Service splunkforwarder -ErrorAction Stop
} catch {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Failed to stop SplunkForwarder. Trying again..."
Set-Location "C:\Program Files\SplunkUniversalForwarder\bin"
& ".\splunk.exe" "stop"
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Deleting the default configuration"
Remove-Item $inputsPath
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Copying over the custom configuration"
Copy-Item c:\vagrant\resources\splunk_forwarder\inputs.conf $inputsPath
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Starting the Splunk forwarder"
Start-Service splunkforwarder
}
else
{
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder already configured. Moving on."
}
If ((Get-Service -name splunkforwarder).Status -ne "Running")
{
throw "splunkforwarder service was not running."
}
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Splunk forwarder installation complete!"

10
Vagrant/scripts/install-windows_ta.ps1
View File

@@ -3,9 +3,9 @@
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing the Windows TA for Splunk"
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { If (Test-Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA is already installed. Moving on." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA is already installed. Moving on."
Exit Exit 0
} }
# Install Windows TA (this only needs to be done on the WEF server) # Install Windows TA (this only needs to be done on the WEF server)
@@ -16,12 +16,12 @@ Start-Process -FilePath "C:\Program Files\SplunkUniversalForwarder\bin\splunk.ex
# Create local directory # Create local directory
New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local" New-Item -ItemType Directory -Force -Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local"
Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath Copy-Item c:\vagrant\resources\splunk_forwarder\wef_inputs.conf $inputsPath -Force
# Add a check here to make sure the TA was installed correctly # Add a check here to make sure the TA was installed correctly
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds" Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Sleeping for 15 seconds"
start-sleep -s 15 Start-Sleep -s 15
If (test-path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") { If (Test-Path "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default") {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Windows TA installed successfully."
} Else { } Else {
Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong during installation." Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Something went wrong during installation."