Ionut Nica

Windows, Scripting, Virtualization, Cloud Computing - tricks for getting around in the world of Technology

Windows, Scripting, Virtualization, Cloud Computing - tricks for getting around in the world of Technology


  • Fix “Transaction log for database ‘VIM_VCDB’ is full” errors

    Posted on April 19, 2010 by Ionut Nica

    This is one of those “note to self posts”, in hope this may hit me again so I don’t go wandering the Internet all over again. I have a small VMware lab at home, and a few days ago I was confronted with an issue related to vCenter – the management application for VMware’s hypervisor. I tried to connect to my vCenter installation – connection refused….ok, I’ve seen this before, probably the service is not up. Initially I thought there had been a power outage at my home (they kinda happen) and the vCenter Service hanged upon starting (this also kinda happens)

    No problem I can fix it! open services snap-in remote to vCenter machine, start service, service starts, close snapin. Start vSphere Client client works, play around with it a bit, close Client.

    Time goes by, I need to log back into the system again for some work. Connection refused….now this is rich, no power outage, why is the service crashing? Ok, it’s just life treating me badly VMware is acting up (not that is usually does), open service, start service, login again to vCenter, do some work, few minutes later client disconnects…reconnect not working.

    Ok, troubleshooting mode now; open Splunk, sort by events from that host, anything that is not information from the system log. And there it was:

    Error[VdbODBCError] (-1) “ODBC error: (42000) – [Microsoft][SQL Native Client][SQL Server]The transaction log for database ‘VIM_VCDB’ is full. To find out why space in the log cannot be reused, see the log_reuse_wait_desc column in sys.databases” is returned when executing SQL statement “UPDATE VPX_VM WITH (ROWLOCK) SET SUSPEND_TIME = ? , BOOT_TIME = ? , SUSPEND_INTERVAL = ? , QUESTION_INFO = ? , MEMORY_OVERHEAD = ? , TOOLS_MOUNTED = ? , MKS_CONNECTIONS = ? , FAULT_TOLERANCE_STATE = ? , RECORD_REPLAY_STATE = ? WHERE ID = ?”

    Ouch, something really broke, Immediately I made quick check to see if I had disk space left, which I had, so this was not going to be this easy.

    In that case: to the Internets! Found this thread on the VMware communities. I won’t bore you anymore with the storyline, I’ll just get to fixing this issue

    Note: this is probably an extremely trivial topic that does not happen on production databases, with vigilant DBA;s. However this is a homelab and I’m not a DBA :) and if you are reading this, probably so are you.

    The Fix

    To fix this you will need SQL Server Management Studio Express installed either on the server holding the databases or on a management machine (in which case you better know how to give yourself remote access to the vCenter Database Server, I couldn’t, so I installed it locally on the affected machine). You’l also need a local administrator account to run the management studio under.

    Once in the management studio, select the VIM_VCDB database, right click properties:

    On the left side of the new window select the File section:

    So, there are 2 files, database and the logs. The error we got mentioned log files. A quick look in my setup revealed I had reserved only 460MB for logs (screenshot taken after fix). Scroll down to the right, and find the “…” button, which will let you configure the maximum size of the log files.

    Now change this value to a bigger value, for a home lab 2GB is quite a lot actually, but i wanted to be safe. Close all windows by pressing OK, close the Management Studio.

    After this restart VMware VirtualCenter Server service and watch your vCenter go :) .

    Now for a little investigation why this happened. The vCenter database holds performance data, VM metadata and the likes…but how could 8VM’s gather performance data in less than 2 months that fit into 460MB which was the configured size of the log file….Well the answer lies into vCenter Server Settings, once I started browsing the menus I remembered, that just for testing I configured the statistics logging level to 4 (highest) for each retention period, and not just for testing, I Forgot to turn it off, lesson learned now.

    p.s. This my first non scripting post :)

    Share
    This entry was posted in vCenter, VMWARE and tagged , . Bookmark the permalink.

  • Restrict USB Storage Devices on Windows XP

    Posted on April 9, 2010 by Ionut Nica

    This is one of those topics that are probably on the top 10 to do’s of anyone’s list when it comes to securing their Windows desktops. Whether it is plain dictatorship, security/confidentiality concerns/requirements, unpatched OS’s, weak/no AV solutions, the golden POLP (Principle Of Least Privileges) may force you to come up with a solution to this problem. If you are using anything else (XP, 2000, 2003 Server) except the newer versions of Windows (Vista, 7) which allow you to do this via a GPO setting, you are out of luck, there is no GPO setting or quick-fix that works.

    As a short history, I went through CIA documents that were published (can’t find them anymore), Forums, Microsoft KB’s, Whitepapers, and finally came up at the other end of the tunnel with a working process.

    The goal is to devise a process of denying access to USB Storage that meets following criteria:

    • Must be implemented at OS level
    • Must be deployed scripted/automatically and/or via GPO
    • Must not cripple other OS functionality (e.g. installing printer/scanner drivers)
    • Must be fully reversible by Administrators only
    • Must be working regardless if USB Storage was used before the process is put in place

    The solution – explained

    For disabling USB Storage there are 2 situations to cover:

    • No USB storage ever installed, user must not be able to install device
    • USB storage was previously installed by user or admin, user must not be able to use USB Storage again

    Both scenarios are covered in these 6 steps:

    1. Copy usbstor.inf, usbstor.pnf, usbstor.sys to their default locations, as if a USB storage device would be installed.
    2. Restrict access to the 3 files mentioned above. We will use an implicit DENY for the local “SYSTEM” Account for these files.
    3. Remove Registry Keys that handle USB Storage device startup: HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR and HKLM\SYSTEM\ControlSet001\Services\USBSTOR and HKLM\SYSTEM\ControlSet002\Services\USBSTOR
    4. Replace USB Storage related registry keys with specially crafted keys that disable startup of the USB Storage driver
    5. Apply an implicit DENY for the local SYSTEM Account on the Registry Keys mentioned above
    6. Insert USB Storage device, wait for it to be detected by OS and marvel at the fact it won’t let you install the device :( :)

    For enabling USB Storage these steps must be taken from an Account that is member of the Administrators Group

    1. Remove restrictions placed on the ubstor.* files.
    2. Remove following specially crafted Registry Keys: HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR and HKLM\SYSTEM\ControlSet001\Services\USBSTOR and HKLM\SYSTEM\ControlSet002\Services\USBSTOR
    3. Remove restrictions placed on the registry keys from above
    4. Delete incompletely installed USB storage devices fron Device Manager and Reboot Computer
    5. Insert USB Storage device, wait for it to be detected by OS/go to device manager and refresh device list and marvel at the fact it works :)

    Implementation – explained

    For implementing this in a scripted manner we will use batch scripting, I’m going for a low level approach, assuming you don’t have vbs / powershell on hand, vbs would be rather complicated anyway and Powershell is not installed by default on the OS. You do have some prerequisites:

    • reg.exe (available by default on XP)
    • A network share
    • set-acl (open source utility – get it, copy to a network share of choice and be happy it exists)

    Disabling USB

    • The 3 usbstor files mentioned earlier, 2 are available by default (usbstor.inf and usbstor.pnf) under %WINDIR%\inf. The 3rd, usbstor.sys, unless a usb storage device was previously installed is not present. Find it under %WINDIR%\Driver Cache\i386\Sp3.cab or the other cab files there. Extract it from the cab file to the network share.
    • The piece of code that disables USB is written below, but requires that set-acl, the specified .txt, .reg, usbstor.sys files be present in the same directory from which it is executed
    ::Copy ubstor.sys
xcopy /R /H /Y %CD%\usbstor.sys %windir%\system32\drivers

::Secure USBSTOR.* files with ACE (only Local Administrators Full Control, local "SYSTEM" denied Full Control)
SetACL.exe -on "c:\windows" -ot file -actn restore -bckp "%CD%\usbstor_ACL.txt"

::Delete settings related to USBSTOR Service
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /f
REG DELETE HKLM\SYSTEM\ControlSet001\Services\USBSTOR /f
REG DELETE HKLM\SYSTEM\ControlSet002\Services\USBSTOR /f

::Add special crafted registry keys
regedit /s "%CD%\disable_usb.reg"

::Secure keys from above with ACE (only Local Administrators Full Control, local "SYSTEM" denied Full Control)
SetACL.exe -on "hklm\SYSTEM" -ot reg -actn restore -bckp "%CD%\HKLM_ControlSet.txt"
    • Line 5 of the code uses a file that contains a specially formatted ACL applicable to the 3 usbstor files. To generate a different ACL, use the syntax below for each file you are interested in. When you are finished you can merge all text files in a single text file and add it to the script.
    SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn list -lst "f:sddl;w:d,s,o,g;s:b" -bckp "%CD%\usbstor_inf_ACL.txt"
    • REG command is used to delete any data that may exist in the specified registry keys (think previous installed USB Storage)
    • Once the Registry is clean of the keys, we then push a customized reg file (find it at the end of the post), that essentially changes this:

    USBSTOR driver points to the file you defined (usbstor.sys, that you just set a restrictive ACL on)

    DeviceCount equals zero :)

    DeviceStartUp Type is set to Disabled (more details here)

    Other standard settings for that key

    • Line 16 of code, similar to the ACL for USBSTOR Files, configures the security for the registry keys we added. To customize the ACL, change it to your liking then export the ACL using the command below and update the batch code to include it.
    SetACL.exe -on "hklm\SYSTEM\CurrentControlSet\Services\usbstor" -ot reg -actn list -lst "f:sddl;w:d,s,o,g;s:b" -bckp "%CD%\HKLM_CurrentControlSet.txt"

    Enabling USB

    This is just a question of reversing the changes made by the Disabling process. The following piece of code does just that:

    ::enable inheritance of permissions
SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn setprot -op "DACL:np;SACL:np"
SetACL.exe -on "c:\windows\inf\usbstor.pnf" -ot file -actn setprot -op "DACL:np;SACL:np"
SetACL.exe -on "c:\windows\system32\drivers\usbstor.sys" -ot file -actn setprot -op "DACL:np;SACL:np"

::clear any non-inherited ACE
SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn clear -clr "dacl,sacl"
SetACL.exe -on "c:\windows\inf\usbstor.pnf" -ot file -actn clear -clr "dacl,sacl"
SetACL.exe -on "c:\windows\system32\drivers\usbstor.sys" -ot file -actn clear -clr "dacl,sacl"

::deleting custom Registry Keys
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /f
REG DELETE HKLM\SYSTEM\ControlSet001\Services\USBSTOR /f
REG DELETE HKLM\SYSTEM\ControlSet002\Services\USBSTOR /f
    • As you can see we are enabling inheritance of permissions, clearing any ACE defined explicitly on that object (the ones we pushed actually) and removing the Registry keys we also pushed. Make sure the user running this enabling process has rights to change these objects (in our case he is member of the Local Administrators Group)
    • After this is done manually clean it of any hidden installed USB Storage devices and reboot the computer. After the reboot replugging the device should allow you to install and use it again.

    Phew, this was also a long post, but believe me, reaching this compressed format was a lot of work :) .

    Now I’ve attached this zip file containing the contents of what I’ve been talking about, it should be usable out of the box.

    There is also there question I guess of securing these files so that they apply to users but users can’t get to them to “help themselves”, but that is another topics for another post perhaps.

    As always any feedback is welcomed.

    Share
    This entry was posted in NT Batch, Security, Windows XP and tagged , , , , . Bookmark the permalink.

  • Change Notification “From” Email Address in FSE

    Posted on March 28, 2010 by Ionut Nica

    After a recent deployment of FSE (Forefront Server for Exchange) on an Exchange CMS, I sat back and just watched Forefront notifications come in. Initially they were delivered in my Outlook junk email folder, but I quickly figured it out and added the “domain” Forefront was sending from. This was all ok for me, a sysadmin, but then it hit me: Users whose attachments get blocked also get this notification and it probably ends up in the junk folder aswell. First I thought, ok, let’s push a list of accepted domains down to the clients, but then it dawned on me that there had to be a way to change the “from” address in Forefront. As an added bonus I wanted to find a way to change it on any Server Role (mailbox, hub, cas, edge). Thankfully the Forefront Server for Exchange User Guide provides the answer (goes to show RTFM sometimes goes a long way).

    How to Change the From Address

    This From Address is written down in a registry key of the Server where FSE is installed.

    1. Open the Registry Editor and browse to the corresponding key depending on the OS version you have:
      For 32-bit:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Forefront Server Security\ Notifications\FromAddress
      For 64-bit:
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Notifications\FromAddress
    2. Change the default value to the sender name you would like. I chose a name that also identifies the server where the notification is sent from. You can use any alphanumeric characters, just keep in mind that illegal characters are replaced with “_”.
    3. Now Microsoft says to Restart/Recycle the Exchange and FSE services for this change to become active, please read the notes below regarding this:

    Notes: Restarting/Recycling Services looks like quite a simple task however, I do have some hints on that:

    • If using a CMS (Clustered Mailbox Server) you just have to recycle FSE on the ACTIVE node, FSE is not actively running the PASSIVE node. Exchange services don’t need to be restarted for this change to take effect – (this is my personal observation)
    • Recycling FSE on servers running Microsoft Exchange Transport Service (Transport, Edge Roles) will also recycle the Microsoft Exchange Transport service (Transport Service has a dependency on FSE) – so plan for downtime.
    • There is a “bug” in Forefront: after the change and restarting services (not sure what is the cause, didn’t play around to find out) Forefront sends out 3 failed update notifications (1 per engine), for deprecated scan engines it has (AhnLab, Sophos, CAvet) even though none of those engines are enabled/configured to get updates. I spent almost 2 hours scouring the Internet for a reason why this happened. Best just to ignore it, save yourself some brain-cells.
    • If changing the registry key by hand via remote registry you will not see the wow6432Node because regedit already connected you to that key.

    Disclaimer: As you know changing the registry is “bad juju” if you don’t know what you are doing you can break things, so handle these operations with care.

    This is probably the first post in a series related to Forefront Security for Exchange, I hope they prove useful.

    Share
    This entry was posted in Forefront Security for Exchange, MS Exchange 2007 and tagged , , , , . Bookmark the permalink.

  • Configure USB device to boot WindowsPE

    Posted on March 21, 2010 by Ionut Nica

    It’s been a while since my last post but now I found some time to write a complimentary article to my “make your PE boot disk series”. While the make your PE disk series showed you how to make a bootable ISO, it is possible however to write the contents of the ISO to a USB stick and by following this guide to boot Windows PE from USB. The advantage of having a WinPE on USB is great flexibility, with a CD you always have to rebuild the ISO and burn it/mount it whenever you feel like adding new applications/scripts to it. With a flash drive you can just copy the data alongside the booting OS.

    Here’s what you need:

    • USB stick of choice (portable USB HDD works aswell)
    • A PC running at least a Windows Vista kernel (Windows 7, 2008 – WinPE versions of these also work)
    • Administrator privileges on the machine.

    With the introduction of Vista and later kernels making USB storage bootable for windows became so much easier. Before (win Xp/2003 days there were specialized tools that major hardware vendors had, as far as I know). Why this is was not working in XP/2003?

    The reason is that 5.x Versions of Windows did not mark a USB device as hard disk storage device, and you could not use “diskpart” command line utility, to mark partitions as active, what you need to get WinPE to boot.

    Diskpart is a pretty powerful disk partitioning utility that comes free with Windows, can be used to manage hard disks when you lack a GUI or are a scripthead like me :) . What is great about it is that it’s also included in WindowsPE which can make WinPE a one stop shop for disk management up to a certain point.

    The steps we will go through are:

    1. Use Diskpart to list all system disks and select our USB stick
    2. Partition USB stick as desired and mark a specific partition as active
    3. Copy WindowsPE files to the USB stick

    Select system drive for WinPE boot

    First step is open up your command prompt running it as Administrator. Type diskpart at the prompt and hit enter. After a few seconds you get a command prompt headed by “DISKPART>”.

    At the prompt type list disk - this will list all available physical drives. This next step is CRUCIAL. Pay extremely good attention to the information shown. The command will list the disks on your system. Identify which on the disks listed there is your USB stick, use the “Size” parameter to figure it out. If you are still not sure what type of disk you have selected do following:

    select disk [enter #] <<enter a disk number from the listing you did>>
detail disk

    The output should say your select disk is TYPE:USB. If you get TYPE:ATA, list the disks again and select another number!

    DISKPART> detail disk

<DEVICE NAME>
Disk ID: 2EA32EA2
Type   : USB
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

 Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
 ----------  ---  -----------  -----  ----------  -------  ---------  --------
 Volume 6     G                NTFS   Removable   7679 MB  Healthy

    Repeat the “select disk #” and “detail disk” until you find your USB device that you wish to make bootable. To see which disk you selected run:

    DISKPART> list disk

 Disk ###  Status         Size     Free     Dyn  Gpt
 --------  -------------  -------  -------  ---  ---
 Disk 0    Online          186 GB      0 B
* Disk 1    Online         7680 MB      0 B

    Up to this point we’ve done nothing to the usb device, but I hope you have a backup /don’t care about the data on, because it will be gone in the next step…

    Prepare disk and mark as active

    With the proper selected disk we will wipe all partitioning data from it, create a single partition, format it as NTFS, give it a drive letter, and mark the partition as active.

    !WARNING!: The following will wipe your device, so make sure the selected disk it is the correct one. (use list disk and look for the “*” to see which disk is selected)

    clean
create partition primary
format fs=NTFS quick
assign letter=U
active
exit

    All of these commands will echo a response that they ran successfully, once done type exit to leave the diskpart context and let’s copy the WinPE files to disk.

    Copy Windows PE Files

    Ok, time for a little linking to my previous posts (post1 and post2). In these posts I discussed how to make a Windows PE boot Disk. IF you followed that tutorial (or similar ones on the internet) you will probably be stuck with a folder called ISO in the <PATH>\WinPE_x86\ folder. Also you should left with the ISO file. BOTH of them are good for this next step which is “Copy all the files from either the ISO folder or the ISO IMAGE you built to the root of the USB partition” (make sure you copy all files and folders including hidden ones). Yep, It’s that easy :)

    Once you are done safely remove the USB device from the PC and attempt to boot from it. It should plain and simple work (provided your bios can boot from USB disk and you configured it to boot from USB disk properly). If your ISO image was working your USB stick should also be working.

    I hope this was helpful and if you have feedback it is always welcome.

    Share
    This entry was posted in NT Batch, Windows PE and tagged , , , . Bookmark the permalink.

  • How to create a Windows PE Disk (part 2)

    Posted on March 5, 2010 by Ionut Nica


    It is time for part 2 of this guide to making yourself a Windows PE disk. You can read more about the first part here. This post we will cover following: how to integrate drivers, add 3rd party/applications/files to your image, unmount the image and burn it to an ISO file. I also want to say that this is a scripted approach, and all data and scripts are in the E:\PE path in this guide. The scripted approach will come in handy when you are doing tens of rebuilds of the image because a certain driver will not integrate, or a registry file modification does not work.

    Integrate Drivers into WinPE Image

    First thing on the agenda here is to get the actual drivers you want to integrate into the Image. For most use cases it is enough to integrate Storage and Network drivers, and perhaps Chipset drivers. You also need to take into account the WinPE version you are building, in this guide, we build a x86 WinPE Image so my focus was on x86 drivers for Windows 7/ 2008 /2008 R2. Now go out and grab those CD’s or vendor provided tools (Hyper-V Integration components or VMware Tools).

    Some vendors ship other applications along with drivers, you don’t need the extra files most of the time, because WinPE doesn’t know how to use them most of the time. From the drivers in the list WinPE needs *.inf, *.cat and *.sys files corresponding to each driver you want to integrate and ANY other file specified in the *.inf file. Be patient with this process, as it can be sometimes painstaking and will cause you to rebuild your image until you get it right, until you find all the drivers and files you need :)

    Let’s take the example of VMware Tools for vSphere. If you want your WinPE to boot into vSphere and be able to see your storage adapters and network cards you need to integrate the drivers from VMware Tools.

    Step1: On a VM running Windows 2008/ Windows 7 on vSphere start an interactive VMwareTools Install.

    Step2: Install your VMware Tools and reboot VM. Now take a look in %programfiles%\vmware\vmware tools\drivers\ – driver heaven! Copy the needed folders from here into a folder called “E:\PE\Drivers\ESX_40″ (e:\PE is the location where we run our WinPE imaging process).

    For other drivers you may need to take a different approach. I will just share from my experience. Drivers can be in *.cab cabinet files, in *.zip files, inside MSI files, which you kinda have to install to get to (see vmware tools case), even install a driver and then look in device manager where the device driver exists and search for a similarly named *.inf, sys and *.cat file and all the other files referenced in the *.inf file.

    When you have all your drivers run this as administrator from a command prompt:

    c:
cd \
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
DISM /image:e:\pe\winpe_x86\mount /Add-Driver /driver:e:\PE\Drivers\ /recurse

    Here you run the DISM tool using /add-driver switch, /driver specifying where the drivers are located, and /recurse to make it look in all subfolders in e:\PE\Drivers. This is one of the sweetest things about the DISM, is that it can recursively search for drivers (in WinPE 2.0 you had to have 1 command per folder containing drivers).

    The output of the command should look like this:

    As you can see DISM searched the folder and found 84 drivers (inf files that he can integrate). I had 85 inf files inside that folder, one failed, and you see DISM threw and error. This is however just a “pre-flight” check, as there can still be errors during the actual integration:

    As you can see in this screenshot, DISM could not integrate some of the drivers and pointed to the DISM log file. This file can be found in %WINDIR%\Logs\DISM\dism.log.

    For those that just want to test their driver integration skip the next step.

    Adding Custom Scripts/Applications to the Image

    In an earlier post, I showed how to mount the WinPE Image. The Image was mounted under “E:\PE\winpe_x86\mount”. If you take a look in this folder you will notice a folder structure resembling a windows install…well that is exactly what it is – all Windows PE files unpacked, as they would look like if booted with the image. This means you can add files under %windir%\system32 of the image (in our case Windows\e:\pe\winpe_x86\mount\windows\System32) and you would be able to execute them as %windir%\system32 is in the %path% environment variable of the Windows OS. Note that not all apps run under Windows PE, sometimes it is a matter of trial and error.

    So it is just a matter of copying the files you need from a path, let’s say “e:\PE\CustomApps\” to wherever you want in the folder structure “e:\PE\winpe_x86\mount\”. Use a manual copy or do an xcopy like this for example:

    xcopy /y /r /F E:\PE\CustomApps E:\PE\winpe_x86\mount\Windows\System32

    It is a little known fact about Windows PE that it has a batch file called “startnet.cmd”. This file includes a command “wpeinit”. wpeinit is an executable that is run when WindowsPE boots on your system (more info here). While I don’t care much about wpeinit itself, I do care about startnet.cmd. This file you can modify/overwrite at this point with a custom made startnet.cmd that can start other scripts, check IP connectivity anything you need to do with your WinPE boot disk. Similar to putting custom apps on WinPE you can do this:

    xcopy /h /Y /R /F "E:\PE\CustomScripts\startnet.cmd" "E:\PE\winpe_x86\mount\Windows\System32\startnet.cmd"

    I am stressing the importance of this file because, you can access it only at boot time and it is “hard-coded” into the WIM file (you cannot change it after you unmount the WIM and build the ISO afterwards). Therefore, since startnet.cmd cannot be altered after building the image, it could make sense to have startnet.cmd point to a file say, autorun.cmd, that you can put on the root of the ISO file for example. And there are many ISO editing tools,so changes to autorun.cmd are easier to make, for editing a WIM things are not so straightforward.

    Still following this? Good, because the worst part is over :)

    Unmount Image and burn to ISO

    This last step is fairly easy. DISM has a parameter to unmount the image and commit the changes to the Image. If you remember in the beginning we copied boot.wim to winpe.wim. now we overwrite the existing boot.wim image with our serviced image. The commands below do just that:

    c:
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
::commit changes to image and unmount
Dism.exe /Unmount-Wim /mountdir:E:\PE\winpe_x86\mount /commit
copy E:\PE\winpe_x86\winpe.wim e:\pe\winpe_x86\ISO\sources\boot.wim /Y

    In the current state you have 2 options:

    1. Copy the contents of the E:\pe\winpe_x86\iso folder to a bootable USB stick or make an iso file out of it. For now let’s focus on making a ISO file.

    Microsoft delivered OSCDIMG with the WAIK, a utility that can create the bootable ISO for us.

    cd \
C:
cd "%PROGRAMFILES%\windows aik\Tools\x86"
::"-b" MUST BE next to path for etfsboot.com
OSCDIMG -bE:\PE\winpe_x86\etfsboot.com -n -o E:\PE\winpe_x86\iso E:\PE\Current_ISO.iso

    Please note the comment in the script, “feature” or bug you don’t need a space between -b and the etfsboot,com file.

    This should have successfully built the image and you can burn it to a CD/mount it in a VM and enjoy a Microsoft Supported Windows 7 live CD :) . Before you go take a mental break from all this reading I just want to point out that Windows PE will crash if you run it on a system with insufficient memory.

    Why? The boot disk creates a Ramdisk where he loads Windows PE. If there is not enough RAM memory (typically you have this issue on old hardware or VM’s) it will crash and simply not load. As a rule of thumb the machine using it should have at least 1.8 -2.0 the size of the ISO file as RAM available on the machine.

    I hope this was helpful for others looking to use WinPE as boot disk and I appreciate any feedback you may have.

    Share
    This entry was posted in NT Batch, Windows PE and tagged , , , , , . Bookmark the permalink.

  • How to create a Windows PE boot disk

    Posted on February 28, 2010 by Ionut Nica

    Some time ago I worked a lot on this topic, and had a good system for creating Windows PE disk, but recently I had to adapt the workflow to changes in the WAIK (Windows Automated Installation Kit) introduced with Windows 7/2008 R2. I won’t go into details on what’s new, but as far as I am concerned it made the whole process quite a bit easier.

    Maybe I should explain also what the rest of the Internet will probably tell you: “What is Windows PE?”

    Answer: Windows PE is a lightweight version of the Windows operating system.

    Why should you care about Win PE?

    Answer: Well because you can…

    -Access the NTFS shares, map drives and copy data over the network

    -Format and partition disks and make bootable USB sticks

    -Run admin tools like PsTools, NTPWEdit (password recovery)

    -Run WMI and batch scripts to automate Windows 2003 Server / Xp installations

    -Edit offline registry of a PC (e.g. change it’s IP address, start/stop services) when you can’t login to the OS for some reason.

    It’s been around since Windows Xp (versions 1.x), but only since version 2.0 and now version 3.0 do have some real punch to them. In a way I think it is better than other Windows boot CD’s like Bart and the likes, because you can get MS support and it provides a “clean”,”supported” way to customize it over time with drivers and apps.

    Here’s what we will do to get a working WinPE 3.0 boot image:

    1. Download WAIK and install it
    2. Copy files from the WAIK source folder.
    3. Mount the WIM image
    4. Add additional components to the WIM
    5. Integrate drivers into the image
    6. Add applications/other scripts/files to the image
    7. Unmount WIM Image
    8. Burn the image into an ISO file

    WAIK Installation

    In order to create this WinPE disk you need the WAIK (Windows Automated Installation Kit). This is for WinPE version 3, there are more versions of this WAIK out there, and this tutorial only works for WinPE 3.0.After you’ve downloaded it simply mount and install it. Should you have any issues with the installation (i have some trouble in the days of 2.x) check the contents of the ISO image there should be some file called “wAIKX86.msi” that you can use to launch the installation on a 32b OS, same goes for 64b OS. Installation is pretty simple, next next next.

    Copy Required files

    I should get this out of the way from the start. These steps are a scripted approach to make a boot disk. While I’m sure there is a GUI somewhere, while I was building my workflow using it was impractical, as I needed a way to reduce user errors and test quickly different approaches in an automated way.

    To make this whole process easier make sure you add following paths to your %PATH% environment variable: %PROGRAMFILES%Windows AIK\Tools\PETools

    Also create a folder where you have full administrator rights (in this post i use “e:\PE”). Save yourself some headache and use a shortname with no spaces. Needless to say you need to be an administrator on the computer you are using for this task and all of the commands need to be run from an elevated command prompt.

    First step is to get ourselves all the files that we will need to make the image. These files are installed by the WAIK installer, and MS also conveniently provides a batch script that copies everything. From the elevated prompt run this:

    start /wait cmd /c copype.cmd x86 e:\PE\winpe_x86

    We use copype.cmd located under %PROGRAMFILES%Windows AIK\Tools\PETools. The script copies the x86 WinPE files to a customization directory.

    Mount the WIM Image

    Next we use DISM to mount the boot.wim image and begin servicing it. MS introduced this tool called DISM (Deployment Image Servicing and Management) as a single point of servicing the WinPE image.

    c:
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
Dism.exe /mount-wim /wimfile:"E:\PE\winpe_x86\winpe.wim" /index:1 /mountdir:"E:\PE\winpe_x86\mount"
::list packages installed - do not use quotes in image name
dism /image:E:\PE\winpe_x86\mount /Get-Packages

    We mount the image (a .WIM file) to the “e:\PE\winpe_x86\mount” directory. Once we mount the image we can do anything with the files inside the mounted image. I also did a listing of the packages inside the image so you can see what’s inside it. We just have the basics, a language pack, and the foundation. When using dism with /image be careful to not use quotes in the image name.

    Add WIM components

    Now we can add so called packages to the WIM image. These packages are extra features you may want your image to have, like WMI support, MDAC support, Windows 7/Windows 2008 server setup screens, support for other languages, etc. For a list of the available package for the WinPE x86 version look in %PROGRAMFILES%Windows AIK\Tools\PETools\x86\WinPE_FPs.

    c:
cd\
cd "%PROGRAMFILES%\windows aik\Tools\x86\Servicing"
::adding packages
Dism /image:e:\PE\winpe_x86\mount /Add-Package /PackagePath:"%programfiles%\Windows AIK\Tools\PETools\x86\<add-your-package-filename-here>"
::add here any other packages you need

    For enabling vbs and WMI support add these packages: winpe-scripting.cab, winpe-wmi.cab, winpe-mdac.cab, winpe-hta.cab. I’ve added MDAC and HTA packages to the list in case your vbs scripting requires them, There are corresponding packages in the en-us folder, add them aswell, with the syntax above. This is how the output should look like once you run all commands for adding the packages:

    In the end run dism /image:E:\PE\winpe_x86\mount /Get-Packages to list the packages you installed.

    This covers half the process I described at the start of this post. in the coming days the second part of this tutorial will be finished. I hope you found it useful, have a great week!

    Share
    This entry was posted in Windows PE and tagged , , . Bookmark the permalink.

  • Removing specific message(s) from multiple Exchange 2007 mailboxes

    Posted on February 21, 2010 by Ionut Nica

    I seem to be doing quite a bit Powershell scripting these days, and some of related to MS Exchange 2007. One issue we had recently was that loose permissions on Distribution Lists with hundreds of users + too much spare time for some users generated a lot of unwanted message traffic. I don’t want to discuss prevention measures like restricting who can send emails to big DLs or using Microsoft AD RMS to restrict what can be done with emails. Our goal here is to clean up the mess ;) .

    Essentially you can get some info about the message and mailboxes, and use it with Export-mailbox to remove the data. That is how I initially found this link, but what is not written there is that you need to have all the prerequisites for running export-mailbox, and also running it on hundreds of mailboxes may take a while. I decided to do it my way,by building on what I found on that blog.

    This is “Mass Remove message(s) from mailboxes – My Way”.Depending on your situation you can apply these steps multiple times:

    1. Identify the message that started it all
    2. Track the message on the Exchange Servers and compile a list of unique recipients of the message.
    3. Remove the message from the offended mailboxes (there may be special requirements to perform the task, see here)

    Identify Message

    Getting the information should be pretty easy, someone probably forwarded you the copy of the message(s) to be dealt with. You want to get this info as a minimum: subject,sender,date and time message(s) was/were sent. When you have enough info, open the Exchange Management Console > Tools > Message Tracking and from there identify which of the events represent the time the message originally arrived on the Transport Servers. For that event grab the “MessageID” Value. We will use this in the following steps to find all events relating to that specific messageID.

    Track Message

    Assuming the worst case scenario you have to do tracking across all Exchange Transport Servers, the speed of the process depends on how close to your Exchange Transport Role Servers you are running the tracking. I suggest you make sure this process runs in the same LAN as the Exchange, especially the export-mailbox part. Anyhow, to get all messages sent by “baduser@foo.com” across all transport servers in your Exchange run this:

    $TrackingLogResults = get-transportserver | where {$_.Name -like "<optional filter>"} | foreach-object  {Get-MessageTrackingLog -EventId DELIVER -MessageID <MessageID from Step1> -ResultSize Unlimited -server $_}
    • Get-TransportServer gives you all the transport servers in the organization
    • Where clause filters the servers list, you can leave it out, it is helpful if your HUB transport servers are named in a specific way, and you know the message did not leave the organization, so you can exclude a search on the Edge Servers.
    • Foreach-Object cycles through all servers and performs the search
    • Get-MessageTrackingLog searches each transport server tracking log for DELIVER Events that correspond to messages with that specific MessageID. It returns unlimited results. The server that is being searched is piped from the Foreach cmdlet.
    • If you run the last cmdlet without the EventID filter, you will get lots of other EventID’s like fail,send,receive,routing,expand. You just need deliver, DELIVER is important because it basically says “OK, this message passed all of my checks I am now sending it to the Mailbox Server so it can submit it to the mailbox store”, so you get a list of just the actually affected mailboxes.

    This may take a while to run. Once it is finished we have to get the list of people that the message was sent to. The easy answer would be “why not just do $TrackingLogsResults | select-object Recipients and pipe it along to something else?”

    Well you can do that, but in some cases Recipients means actually a bunch of other addresses, and each recipient may appear multiple times in the entire list.

    e.g. – this could be a list returned by the “easy” command

    {john@foo.com}

    {John@foo.com,Jane@foo.com}

    {Jill@foo.com,Josh@foo.com,Jake@foo.com}

    Having duplicates is inefficient, everything will take longer in next steps. What I wanted was to have a list without duplicates, plus I get to show you some more “nice” scripting stuff ;)

    Compile Recipients List

    I spent quite some time figuring this out, so someone out there better find it useful :) . The next step involved a “google shovel” to “dig up” how to break up those objects into one big list. Then the plan was to have a list that just had the unique email addresses – ideally. So here’s the “magic”:

    $RecipientsExpanded = @()
$RecipientsExpanded = $TrackingLogResults | foreach-object {$RecipientsExpanded  = $RecipientsExpanded  + ($_.Recipients)}
$RecipientsGrouped = $RecipientsExpanded | group-object
$UniqueRecipients = $RecipientsGrouped | select-object Name | sort-object -property name
    • We created a blank array object that will host all recipients addresses in “expanded form”.
    • For each result from the TrackingLog we added the array ($_.Recipients) to the $RecipientsExpanded array. At the end of this we have a single array with all the addresses, each an individual element in the array.
    • The Group-Object cmdlet is used to group all addresses by their name and in the end you have the list of unique email addresses.

    Actually remove offending messages

    Please see this link if you are planning to export the messages to PST. What is left to do is to take a page from the MSExchangeTeam blog and run get-mailbox| export-mailbox combo, only we are doing it on a reduced scale, only on the mailboxes that need it, that why I went through all the trouble of making that list!

    $MailboxesList = $UniqueRecipients | foreach-object {
      $Filter = "PrimarySmtpAddress -eq '"+$_.Name+"'"
      get-mailbox -ignoredefaultscope -resultsize unlimited -Filter $Filter}

    The code above handles this task for forests with child domains. I covered reasoning and use of -Ignoredefaultscope and -Filter in a previous post.

    #get current admin UserPrincipalName
$Admin = [Security.Principal.WindowsIdentity]::GetCurrent().Name
#elevating the administrator's account to fulll access over all affected mailboxes
Add-MailboxPermission $MailboxesList -AccessRights FullAccess -User $Admin
export-Mailbox -Identity $MailboxesList –ContentKeywords <enter part of message body> -Recipients <add recipients list> –TargetMailbox admin_ –TargetFolder "RecoveredEmails" –DeleteContent
    • The final step grants the admin user full access over the mailbox. The account being granted that right is $Admin, the account under which the script is running, it contains the UserPrincipalName of that account.
    • You also need to have admin rights on the “TargetMailbox” and the “TargetFolder” should also exist beforehand.
    • We export the offending message(s) using Export-Mailbox. Here it is important to be very careful and make the filtering as strict as possible, since here you cannot remove a message based on the MessageID, so you could end up removing many more messages. Refer to the documentation for export-mailbox, for all available switches for this purpose.

    After you run the last command get ready for some really long waiting, as it goes through all the mailboxes. Once it is finished, remove your permissions from those mailboxes.

    Remove-MailboxPermission $MailboxesList -AccessRights FullAccess -User $Admin

    Phew this was a long post, but validating everything I explained here, took a while. The post is also packed with bits and pieces that can be your building block for other Exchange Shell scripts. I tried to show you how to take Exchange TrackingLog data and build a list of unique recipient addresses that you can use to filter out an unwanted message you tracked in the logs, and do that using export-mailbox commandlet. If you have any feedback/corrections/omissions please feel free to leave a comment.

    Happy Scripting!

    Share
    This entry was posted in Management Shell, Powershell and tagged , , , , , , , . Bookmark the permalink.

  • Logging Data Using Splunk – Part 2 – Deploying the Forwarder on Windows (continued)

    Posted on February 13, 2010 by Ionut Nica

    I promised the earlier posts We will talk a bit about how to actually configure a Splunk forwarder once you set it up on Windows. I will try to cover very briefly following:

    1. Configure Data Inputs
    2. Configure Data Output

    A few “ground rules”:

    • Everything I will be talking about in this post refers to configuration files found in “<Splunk Install Path>\” folder, referred to as SPLUNK_HOME variable.
    • Configurations are read from SPLUNK_HOME\etc\system\local\ but if these files do not exist/define a specific setting, the corresponding defaults file is loaded, stored in SPLUNK_HOME\etc\system\default\. By default files in the local folder contain minimal data [e.g. host name].
    • Config file formatting : file extension is .conf, comments are prefixed with “#”, a “configuration section” has the title marked between “‘[ ]” and contains data until the next configuration section, or the end of file.

    Splunk Data Inputs

    Splunk explains the use of data inputs for Windows here. Data inputs are basically sources where Splunk grabs data and forwards/indexes it.

    While Splunk can do so many things like WMI queries, AD monitoring, file monitoring and use python searches to index whatever you want it to, I will just show you how to make it listen to Event Logs only, personally I think the other things are stretching it a bit

    If Splunk is just a side application to your organization, e.g. you use the free license, you may think his strength is in forensic analysis rather than all sorts of monitoring, which while it is nice, require more knowledge than just these basic posts of mine ;) .

    If you remember I told you in the last post, that while Splunk does have installation parameters, I prefer pushing the configuration after it was installed, before the first run. The reason is that I noticed the installer doesn’t really do all that it advertises, and since you, like me may want to do customizations to the config files, why not make a baseline/template “config files pack” that you push afterwards to the server.

    By default a Windows Splunk install indexes some Event Logs and also uses some WMI queries, so first order of business is to make it “unindex” anything WMI/Script related. Add this to your inputs.conf file.

    #Disable registry monitoring and WMI scripts
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py]
disabled = 1

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.py]
disabled = 1

# Pull event logs from the local system
# Usually disabled in favor of using WinEventLog inputs
[WMI:LocalApplication]
disabled = 1

[WMI:LocalSystem]
disabled = 1

[WMI:LocalSecurity]
disabled = 1

# Gather performance data from the local system
[WMI:LocalPhysicalDisk]
disabled = 1

[WMI:LocalProcesses]
disabled = 1

[WMI:Memory]
disabled = 1

[WMI:LocalNetwork]
disabled = 1

[WMI:CPUTime]
disabled = 1

[WMI:FreeDiskSpace]
disabled = 1

    As you can see it is just a matter of setting a disabled flag. You can get a list of sources to to disable, if you go into the GUI of splunk and enable all monitoring sources then start disabling what you wish.

    “Un-indexing” is finished, now we start adding what event-logs we want indexed and also set some parameters for each Event-Log.

    [default]
evt_dc_name =<Add FQDN of DC here >
evt_dns_name = <Add FWDN of DC here >

    The above section defines a domain controller and a DNS server for resolution of GUID/SID values in the events indexed. It is a global value, applies to all event-log sources.

    [WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

    Pretty self explanatory in a way - [WinEventLog:Application] defines which application Log we are looking at. You can change the value that appears after “:” to whatever you want for example: “Directory Service”, “Powershell”,”Microsoft Office”,”Security”,”System”, any event-log name.
    We set it to be enabled and to start indexing from the first event in the event log, and index all events, not just the current events (unlike a linux tail command). Evt_resolve_ad_obj enables or disables resolving of GUID/SID. CheckpointInterval is how often it polls for new data coming from the event logs.
    Now you can multiply this configuration segment for as many event-logs you have defined on your system. Also if you define an event-log name that does not exist, not a problem, splunk won’t index it, it will just log an error in the event log, personally I can live with that.
    Also Splunk can monitor flat files and one flat file you may be interested as a sysadmin is the windowsupdate.log file. Splunk Indexer can have a smart little application called “Windows” that can actually makes sense of those logs for you, to some extent. Here is what you should add to you inputs.conf to get that file to be monitored.

    [monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 0

    Now save this file in SPLUNK_HOME\etc\system\local\ and start/restart Splunk to see some results, or just hold that thought until the end of the post. If you followed my guide sofar, this should give you actually a Splunk Indexing Server, because all that we did was install it and configure what it indexes. Next step we make it send data out somewhere, which turns it into a forwarder and disables local indexing.

    Configure Data Output

    For more official Splunk info go here. For a forwarding crash course read on. We will configure Splunk to send data out to “groups”. These groups can be actually a single host, or a group of hosts (think indexing load-balancer configuration). The following will configure forwarding of all events to a host group made out of a single host. The configuration file should be outputs.conf stored in the same location as inputs.conf from before. Add this to the file:

    [tcpout]
defaultGroup = &lt;group_name_ID&gt;
disabled = false

[indexAndForward]
index = true/false

[tcpout:&lt;group_name_ID&gt;]
server=&lt;IP&gt;:&lt;port&gt;
heartbeatFrequency=45
maxQueueSize=10000

    First section describes the group configuration, that you detailed below and enables it. Next you can forward data and also index it locally. A forwarder does not need to keep data locally, so you set this to False.

    The “tcpout: < group_name_ID>” defines a group of settings pointing to a listening server.Group_name_ID from here must match with the value you entered the first time, when you mentioned the Group_name_ID.

    Server lets you define the server and listening port. The IP and port must match the IP and listening port of the Indexer.

    The heartbeat frequency is basically how often the Indexer is being polled if he is alive.

    maxQueueSize is by default 1000, for busy servers you may want to increase it to something more, like I did.

    Now you should be done. You can start/restart splunk by starting the splunkd service from the services snap-in or run “net start splunkd” from the command line prompt on the server. If you did everything right, Splunk should be acting as a forwarder now and send data to the indexing server. If you do not see anything on the Indexer, start troubleshooting both the indexer and the forwarder. The logs from “SPLUNK_HOME\var\log\splunk\” may prove useful.

    I hope this introduction was helpful to anyone trying to get a basic grasp of a Splunk setup for Windows, I wish you Happy Splunking! :)

    Share
    This entry was posted in Fowarder and tagged , , , , . Bookmark the permalink.

  • Logging Data Using Splunk – Part 2 – Deploying the Forwarder on Windows

    Posted on February 6, 2010 by Ionut Nica

    Last post I showed you how to install the Splunk Indexing Server and make it listen for data, by enabling receiving of forwarded events. That’s all very nice, but someone needs to actually send data to that port, for Splunk to index it. We are going to focus on the Windows deployment of a Forwarder, but some of the steps here are applicable, in essence to a Linux forwarder:

    • Fulfill Installation Prerequisites
    • Install Forwarder
    • Configure Forwarder

    Installation Prerequisites

    Some of the information mentioned here is also mentioned in the relevant Splunk documentation. I’m assuming you want Splunk to run on a domain network, and also it running on domain controllers. Essentially Splunk runs in the system using 2 services “Splunkd” and “Splunkweb”. The forwarder only needs “Splunkd” service to run. With that in mind, here is what you need to run Splunk on Windows Servers:

    • Splunk Forwarder version must be at most equal to the version of the Indexer, so your Forwarders cannot be more advanced than the Indexer. I have not tempted fate to see what breaks otherwise ;)
    • Make sure you install 32bit Splunk on 32bit OS’s and 64bit on 64bit OS’s. Splunk says 64b version offers a lot of improvements, in light of people moving to Windows 2008 server, everyone should be happy.
    • You will need the Splunk MSI package, get it from here.
    • You need a domain account that Splunk Services can run under. That account must be a Local Administrator on Servers where Splunk Forwarder will be installed. If you are focused on security, check documentation link above, for minimum requirements. You can use a GPO to enforce these settings as well.
    • To push Splunk Forwarder remotely /via script make sure the account used to run the installation can be elevated to Administrator (aka UAC does not break the install – for Windows Server 2008/ Windows 7); this is especially important in this tutorial since this will be a scripted install.
    • Make your life easier and keep the Splunk.msi on a network share along with any installation scripts. Also secure that share as best you can, since some data is in clear text.

    Install the Forwarder

    For installing the forwarder we will make a command line install. The installer allows more customization via the CLI than via all the install menus. For reference you can take a look here for all CLI switches, but note that not all switches work as advertised. There are a lot of CLI switches designed to customize Splunk upon on installation, but since some of them do not work and the fact that Splunk can be customized after the installation, I used only switches that worked and I could not configure after the installation. Here’s the magic, that you need to put on a Windows NT batch file (“.bat”) and run it.

    ::Stop all splunk services
net stop splunkd
net stop splunkweb
::Remove all splunk versions
start /wait MsiExec.exe /uninstall {60ad9785-709f-4b4d-ac19-91cbe0ab7614} /passive
start /wait MsiExec.exe /uninstall {a7579aaa-db6b-46ce-90ca-d8f553481bcc} /passive
start /wait MsiExec.exe /uninstall {2c0fae08-7c9c-40f9-ba21-82a2aad07f0d} /passive

::Map drive to splunk install path
net use /delete S:
net use S: <map network path of splunk executable>

::Execute installation string, minimal configuration
start /wait msiexec.exe /i S:\splunk-4.0.9-74233-x86-release.msi INSTALLDIR="%ProgramFiles%\Splunk" RBG_LOGON_INFO_USER_CONTEXT=2 IS_NET_API_LOGON_USERNAME="<domain\SplunkServiceUser>" IS_NET_API_LOGON_PASSWORD="<Password>" LAUNCHSPLUNK=0 AUTOSTARTSERVICE_SPLUNKD=1 AUTOSTARTSERVICE_SPLUNKWEB=0 /passive

    Breaking the code down really quick:

    • Stop splunk services, just to make sure. You can foolproof the code by also forcefully killing Splunk related processes.
    • Use the “uninstall current version” section to rid yourself of previous versions of Splunk. This will be a growing list of commands…because:

      • Important Note: The Installation ID of Splunk is different from 32b version to the 64b version, and from different 32b/64b versions, so make sure you get the Installation ID correctly from the registry or however you know. Reg key is here HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    • The specific parameters related to Splunk are as follows
      • Specify installation directory – INSTALLDIR
      • Specify how services run (Local System or Domain Account – we used Domain Account – RBG_LOGON_INFO_USER_CONTEXT=2 )
      • Specify credentials used (IS_NET_API_LOGON_USERNAME, IS_NET_API_LOGON_PASSWORD)
      • Specify what happens to splunk after installation is finished and status of the Splunk Services, we want splunk to do nothing and we don’t need Splunkweb (LAUNCHSPLUNK, AUTOSTARTSERVICE_SPLUNKD, AUTOSTARTSERVICE_SPLUNKWEB)
    • The last /passive switch is typical to the MSI installer, use /quiet if you prefer. Also you do not need to reboot after a Splunk Install/Uninstall.

    Improvements to this piece of NT batch code? Yes we can

    • Remove any values from the Username and Password field and replace the parameters with:
      • IS_NET_API_LOGON_USERNAME=”%1″
      • IS_NET_API_LOGON_PASSWORD=”%2″
    • Save the script above to a batch file, SplunkDeploy.bat for example, and run the batch file like this:
      • SplunkDeploy.bat domain\SplunkServiceAccount reallyhardpasssword where you replace the bold text with your specific Splunk account credentials.
      • This ensures that no passwords are kept in clear text, quite a big no no considering this sort of account kind of owns all computers on the domain, one way or another.

      • At this point Splunk is installed and configured with the default settings. Notice what we have done now relates very little to the Forwarding role Splunk will have, this will be addressed in the Configuration section. As I don’t really like the default configuration, and since going into explaining why, requires another post and a bit much of reading attention I hope you will stay tuned for the sequel to Part 2, IMO the most complex part of the series ;)

    Share
    This entry was posted in Fowarder and tagged , , , , . Bookmark the permalink.

  • Logging IT Data using Splunk – Part 1 – Deploying the Indexer

    Posted on January 31, 2010 by Ionut Nica

    If you reached this page via search then I guess you know what Splunk is, if not I think I better talk a little about that. Quoting the wiki here:

    “Splunk is a search, monitoring and reporting tool for IT system administrators with search capabilities. It crawls logs, metrics, and other data from applications, servers and network devices and indexes it in a searchable repository from which it can generate graphs, SQL reports and alerts. It is intended to assist system administrators in the identification of patterns and the diagnosis of problems. Log files can be correlated across systems and software components which can help administrators uncover the cause analysis of system failures”

    The good part about Splunk is that it comes in 2 flavors: enterprise and free. You can get a sense of how the enterprise version works with a 60 days evaluation license. My focus here is on the free edition, probably what most people will work with until they reach the limits of what the free edition can do. The differences between the two versions are presented here on their website.

    The latest version is 4.0.x, I have worked with Splunk since version 3.x and I can tell you latest version is a big leap forward. It comes with add-ons that can be piled onto Splunk, called Apps. These apps help you extract information from the data, they make understanding and presenting the data easier. There is also a Windows version of Splunk, that makes forwarding data so much easier.

    There are more Splunk deployment models, you can read more about them here. The model I want to talk about is the last one on the list, where we have “Splunk installed on all servers forwarding data“. The below picture from the Splunk wiki is quite self explanatory:

    Basically we have 1 installation of Splunk that is the Indexer and we will also install Splunk on each machine we want to index data from,called forwarders. There are 2 types of Forwarders, regular and light. Regular forwarders perform also transformation tasks on the data, sending already tagged information to the Indexer Server, while light forwarders just send the data out to the indexing server with no tagging or transformations applied onto them.

    For logging data using Splunk I will show you following:

    • Deploying Splunk as Indexer for Linux
    • Deploying Splunk as Forwarder for Windows.
    • Configuring Forwarders to filter data before forwarding to the Indexer/

    Deploying Splunk as Indexer

    We are going to install the Indexer on a Linux machine and configure a few forwarders to send data to this machine. There is nothing stopping you from designating a Windows machine for the indexing role though.

    For a Debian Linux installation if you copied the .deb file to your linux machine open the console or ssh and run this command:

    dpkg -i /tmp/splunk-4.0.8-73243-linux-2.6-intel.deb

    

    Replace "/tmp/splunk-....." with the path to your package. Choose the  default settings and when the installation finishes run the command  that starts splunk and accepts the license agreement in one step:
    

    /opt/splunk/bin/splunk start --accept-license

    

    Now you can login to the web interface indicated by the installation,  by default http://[FQDN]:8000. Default  credentials are "admin" with password "changeme". Once  there you should see this welcome screen:
    

    

    Feel free to take a look around, once done find the "Manager"  link on the top right-hand side and click it. On the new page find the  "Forwarding and Receiving" link. That should point you to a screen  looking like this:
    

    

    Click "Add New" to add a new port on which the Indexing Server will listen for data from forwarders. On the new page insert the port number and save your settings.
    

    

    There is also the possibility to configure receiving data from the command line.
    

    cd /opt/splunk/bin/
./splunk login

    

    Enter your credentials,  then use this command to activate listening on a TCP port:
    

    ./splunk enable listen -port <your port number> -auth admin:<password>

    

    You will get this a confirmation message: Listening for Splunk data on TCP port <your port number>.
    

    If you entered the wrong port you can disable listening for that port using:
    

    ./splunk disable listen -port <port number> -auth admin:<password>

    

    The confirmation message looks like this: Receiving is disabled on port <your port number>.
    

    At this point you are finished with the basic Indexer configuration. The next post we will cover how to Deploy Splunk Forwarders on Windows machines and get them to send data to the Indexer.
    Share
    This entry was posted in Deployment, Indexer and tagged , , , , . Bookmark the permalink.


  • Latest Posts

  • Visits

  • Calendar

    February 2012
    M T W T F S S
    « Jan    
     12345
    6789101112
    13141516171819
    20212223242526
    272829  

  • Archive – Keeps Track of All

  • Categories

  • dinamic_sidebar 4 none

©2012 Ionut Nica Entries (RSS) and Comments (RSS)  Raindrops Theme  
View in: Mobile | Standard