Tuesday, September 23, 2014

[Solved] At a Lost with Windows 2012

In trying to get the Splunk tech add-on TA-nessus from Hurricane Labs to work on a pair of Windows servers, I created some DOS batch files that works fine when manually run. They also run fine on a Windows 2008 R2 server running a Splunk Universal Forwarder. Here is one of batch files, update_plugin_lookup.bat:

@echo off

rem -- To get rid of cygwin's complaints about DOS style path:
set CYGWIN=nodosfilewarning

E:\cygwin64\bin\bash.exe "%SPLUNK_HOME%/etc/apps/TA-nessus/bin/update_plugin_lookup.sh" %*

Then the shell script, update_plugin_lookup.sh, is modified to this to work with Cygwin's bash and python:

#!/bin/bash

#unset LD_LIBRARY_PATH

export PATH="/bin:/usr/bin"
cygpath=`which cygpath 2>/dev/null`
if [ "$cygpath" != "" ]; then
    splunk_home=`"$cygpath" "$SPLUNK_HOME"`
    export SPLUNK_HOME=`"$cygpath" -w "$SPLUNK_HOME"`
fi
export PATH="$PATH:$splunk_home/bin"

#cd $( dirname "${BASH_SOURCE[0]}" ) || cd "$splunk_home/etc/apps/TA-nessus/bin"
cd "$splunk_home/etc/apps/TA-nessus/bin"

./update_plugin_lookup.py $*

The problem is, on a Windows 2012R2 server running a Splunk search head, the scripted input running the update_plugin_lookup.bat command only generates a line in the splunkd.log file that reads:

09-23-2014 04:15:00.013 -0400 ERROR ExecProcessor - Couldn't start command "E:\Splunk\etc\apps\TA-nessus\bin\update_plugin_lookup.bat": The operation completed successfully.

I checked file permissions for the local SYSTEM account on the 2012 server, as I suspected that may be a factor. But that did not seem to be the issue.

I have downloaded the PsTools from SysInternals and manually run the batch command as the local SYSTEM user. That worked without a hitch.

I am at a lost of ideas to try at this point, so I am going to post this to Splunk Answers and other forums to beg for help.

[Edit - Problem resolved] :  This turned out to be a file permission issue, after all. I thought I did grant executable permission to local SYSTEM on the 2012R2 server. But I did not succeed in doing that. Then because I was able to run the batch command file as local SYSTEM with the help of PsExec, I let the suspicion slip out of my mind.

No comments:

Post a Comment