[RESOLVED] Batch scripted input works on Win2008R2...

ww9rivers · ‎09-23-2014

In trying to get the Splunk tech add-on TA-nessus from Hurricane Labs to work on a pair of Windows servers, I created some DOS batch files that works fine when manually run. They also run fine on a Windows 2008 R2 server running a Splunk Universal Forwarder. Here is one of batch files, update_plugin_lookup.bat:

@echo off

rem -- To get rid of cygwin's complaints about DOS style path:
set CYGWIN=nodosfilewarning

E:\cygwin64\bin\bash.exe "%SPLUNK_HOME%/etc/apps/TA-nessus/bin/update_plugin_lookup.sh" %*

Then the shell script, update_plugin_lookup.sh, is modified to this to work with Cygwin's bash and python:

#!/bin/bash

export PATH="/bin:/usr/bin"
cygpath=`which cygpath 2>/dev/null`
if [ "$cygpath" != "" ]; then
    splunk_home=`"$cygpath" "$SPLUNK_HOME"`
    export SPLUNK_HOME=`"$cygpath" -w "$SPLUNK_HOME"`
fi
export PATH="$PATH:$splunk_home/bin"

#cd $( dirname "${BASH_SOURCE[0]}" ) || cd "$splunk_home/etc/apps/TA-nessus/bin"
cd "$splunk_home/etc/apps/TA-nessus/bin"

./update_plugin_lookup.py $*

The problem is, on a Windows 2012R2 server running a Splunk search head, the scripted input running the update_plugin_lookup.bat command only generates a line in the splunkd.log file that reads:

09-23-2014 04:15:00.013 -0400 ERROR ExecProcessor - Couldn't start command "E:\Splunk\etc\apps\TA-nessus\bin\update_plugin_lookup.bat": The operation completed successfully.

I checked file permissions for the local SYSTEM account on the 2012 server, as I suspected that may be a factor. But that did not seem to be the issue.

I have downloaded the PsTools from SysInternals and manually run the batch command as the local SYSTEM user. That worked without a hitch.

I am at a lost of ideas to try at this point, so I am posting this on Splunk Answers and other forums to beg for help.

ww9rivers · ‎09-23-2014

Turns out, this is a Windows file permission issue. I thought I checked the permissions and I did reset the permissions on the 2012R2 server, but I actually failed to reset them. However, as I said, I was able to manually run the .bat file as the local SYSTEM user with the help of the PsExec tool, I let my suspicion of the file permission issue slip out of my mind.

The batch files I created on the 2008 server has assigned the local SYSTEM user full control on the files. But the SYSTEM user only had "read" permission on the files on the 2012R2 server.

Once the Windows server admin team gave the local SYSTEM account full control on the batch file, it started to work, as scheduled in TA-nessus' inputs.conf.

linu1988 · ‎09-23-2014

Hello,
This occurs when your path is wrong for the script. Splunk will throw this error when it is not able to find the path. Could you double check if the TA-nessus app is added in the new 2012 Machine?

Thanks,
L

ww9rivers · ‎09-23-2014

Yes, I am sure the app (the TA, to be precise) is there, because as I said in the original posting, I am able to run the .bat file manually to get the lookup table updated.

linu1988 · ‎09-23-2014

i see you ran the bash script rather than the bat file. Could you also trigger the bat file for yourself? That is the issue i can see nothing else.

ww9rivers · ‎09-23-2014

Yes. I could. Everything worked manually before the file permission on the .bat file was fixed.

[RESOLVED] Batch scripted input works on Win2008R2 but not Win2012R2

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!