codingWithJimmy
diff --git a/‎README.md
Lines changed: 134 additions & 0 deletions b/‎README.md
Lines changed: 134 additions & 0 deletions
diff --git a/‎bin/dsRemove.bat
Lines changed: 31 additions & 0 deletions b/‎bin/dsRemove.bat
Lines changed: 31 additions & 0 deletions
diff --git a/‎bin/dsRemove.ps1
Lines changed: 19 additions & 0 deletions b/‎bin/dsRemove.ps1
Lines changed: 19 additions & 0 deletions
diff --git a/‎bin/dsRemove.sh
Lines changed: 18 additions & 0 deletions b/‎bin/dsRemove.sh
Lines changed: 18 additions & 0 deletions
diff --git a/‎bin/hostCorrect.ps1
Lines changed: 42 additions & 0 deletions b/‎bin/hostCorrect.ps1
Lines changed: 42 additions & 0 deletions
diff --git a/‎bin/hostCorrect.sh
Lines changed: 24 additions & 0 deletions b/‎bin/hostCorrect.sh
Lines changed: 24 additions & 0 deletions
diff --git a/‎bin/pwchange.bat
Lines changed: 78 additions & 0 deletions b/‎bin/pwchange.bat
Lines changed: 78 additions & 0 deletions
diff --git a/‎bin/pwchange.sh
Lines changed: 30 additions & 0 deletions b/‎bin/pwchange.sh
Lines changed: 30 additions & 0 deletions
@@ -0,0 +1,134 @@
+# Splunk Forwarder Repair Kit
+This kit was compilled based on common issues with Splunk deployments and managing idiosyncrasies that tend to naturally occur.
+
+## Using the app
+Given the use-cases listed above, you will likely have multiple copies of the app with different input enabled for each. In any case, the app should restart Splunk when it is installed as all of the inputs are designed to be run when the forwarder starts.
+
+It should be noted that if multiple copies of the app are created, the inputs.conf would need to be adjusted to account for the change in path for Windows Powershell scripts.
+
+Below is the default inputs file. This configuration is responsible for running the scripts each time the forwarder restarts except for the restart script. The restart script is on a cron for every 2 minutes and is designed to only trigger a restart under specific circumstances.
+
+```
+### Restart scripts
+[script://./bin/restart.sh]
+disabled = 1
+index = _internal
+sourcetype = restart:output
+interval = */2 * * * *
+source = restart_output
+
+[powershell://restart]
+disabled = 1
+index = _internal
+sourcetype = restart:output
+interval = */2 * * * *
+source = restart_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\restart.ps1"
+
+### GUID regneration scripts
+[script://./bin/regenGUID.sh]
+disabled = 1
+index = _internal
+sourcetype = regen_guid:output
+interval = -1
+source = regen_guid_output
+
+[powershell://regenGUID]
+disabled = 1
+index = _internal
+sourcetype = regen_guid:output
+interval = -1
+source = regen_guid_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\regenGUID.ps1"
+
+### Host/Server correction scripts
+[script://./bin/hostCorrect.sh]
+disabled = 1
+index = _internal
+sourcetype = host_rename:output
+interval = -1
+source = host_rename_output
+
+[powershell://hostCorrect]
+disabled = 1
+index = _internal
+sourcetype = host_rename:output
+interval = -1
+source = host_rename_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\hostCorrect.ps1"
+
+### Local deploymentclient removal scripts
+[script://./bin/dsRemove.sh]
+disabled = 1
+index = _internal
+sourcetype = ds_remove:output
+interval = -1
+source = ds_remove_output
+
+[powershell://dsRemove]
+disabled = 1
+index = _internal
+sourcetype = ds_remove:output
+interval = -1
+source = ds_remove_output
+script = . "$SplunkHome\etc\apps\SplunkForwarderRepairKit\bin\dsRemove.ps1"
+
+### Admin password change scripts
+[script://./bin/pwchange.sh]
+disabled = 1
+index = _internal
+sourcetype = pw_change:output
+interval = -1
+source = pw_change_output
+
+[script://.\bin\pwchange.bat]
+disabled = 1
+index = _internal
+sourcetype = pw_change:output
+interval = -1
+source = pw_change_output
+```
+
+## Use-Cases
+1. Local deployment server configurations
+2. Inputs and server host name configurations
+3. Duplicate forwarder GUIDs
+4. Changing the default password (Version <= 7.1.0)
+
+###### Remove local deployment server configurations
+Early in a deployment of Splunk, local configurations could be used while getting fmailiar with how Splunk works. These configurations may last for a while and cause issues down the road like if a new deployment server is stood up or an IP address changes.
+
+This app contains scripts for Windows and Linux forwarders that will remove local configurations of "deploymentclient.conf" in favor of a coniguration that has been deployed from the deployment server. This allows for that configuration to only be controlled via the deployment server from that point forward.
+
+Windows - `dsRemove.ps1`
+\*Nix - `dsRemove.sh`
+
+###### Correct inputs/server hostname configurations
+Many times we've come across an envionment where hundreds of forwarders are reporting with the same name and forwarder GUID. This usually happens when an image template isn't properly maintained after a fowarder has been embedded in it.
+
+This app contains scripts for Windows and Linux forwarders that will determine if correction is necessary in the local "inputs.conf" and "server.conf" and correct them. The scripts are designed to only change what is needed and leave the rest of the files unchanged.
+
+Windows - `hostCorrect.ps1`
+\*Nix - `hostCorrect.sh`
+
+###### Regenerate forwarder GUID
+Another by-product of the previous use-case is forwarder GUIDs all being the same. While this doesn't affect how a forwarder performs its duties, unique GUIDs ensures if hosts have the same name they are still uniquely idenitifiable for troubleshooting purposes.
+
+This app contains scripts for Windows and Linux forwarders that will move the existing "instance.cfg" to become a backup and restart the forwarder. Upon restarting, a new GUID will be generated.
+
+Windows - `regenGUID.ps1`
+\*Nix - `regenGUID.sh`
+
+###### Update default 'changeme' password on Splunk Forwarders (before 7.1.0)
+Forwarders deployed before version 7.1.0 didn't require the admin password be changed upon installation. Starting at 7.1.0, the forwarders required either a user-seed file or manual input of the password during first-time run. While the REST API of the fowrwarder is not configured to allow POST requests until the password is changed on versions prior to 7.1.0, changing the password is still recommended.
+
+This app contains scripts for Windows and Linux forwarders that will allow either a static password or random password to be configured. By default, a random password is generated and printed into the log which is sent back to Splunk.
+
+Windows - `pwchange.bat`
+\*Nix - `pwchange.sh`
+
+## Restarting the Forwarder
+Because most of these use-cases require the forwarders be restarted, an additional script has been introduced that takes the outcome of each of the scripts used and determines if a restart is required. Each script is designed to create an empty file that the restart script uses to determine if a restart is necessary. If the restart script finds one of the files used to trigger a restart, it removes them and should keep the system clean of unnecessary files.
+
+Windows - `restart.ps1`
+\*Nix - `restart.sh`
@@ -0,0 +1,31 @@
+@echo off
+
+REM Define checkpoint varaible
+SET CHECKPOINT=%SPLUNK_HOME%\etc\ds_changed
+
+REM Look for the checkpoint file and decide to exit or continue
+IF EXIST "%CHECKPOINT%" (
+	goto NOCHANGE
+) ELSE (
+	goto CHANGE
+)
+
+REM Remove "deploymentclient.conf" from $SPLUNK_HOME\etc\system\local
+:CHANGE
+IF NOT EXIST "%CHECKPOINT%" ( 
+del /q "%SPLUNK_HOME%\etc\system\local\deploymentclient.conf"
+) ELSE (
+	goto FAILED
+)
+
+REM Create the checkpoint file and log success
+:SUCCESS
+echo %date% %time% %HOST%: Deploymentclient.conf removed from local system. > "%CHECKPOINT%"
+echo %date% %time% %HOST%: Deploymentclient.conf removed from local system.
+exit
+
+REM Log that the deploymentclient.conf was already removed and exit
+:NOCHANGE
+echo %date% %time% %HOST%: Deploymentclient.conf removed from local system. > "%CHECKPOINT%"
+echo %date% %time% %HOST%: Deploymentclient.conf already removed from local system.
+exit
@@ -0,0 +1,19 @@
+### Configure file paths for the system
+$LOCAL = {$(Test-Path "$SPLUNKHOME\etc\system\local\deploymentclient.conf")}
+$DEPLOYED = {$(Test-Path "$SPLUNKHOME\etc\apps\*\*\deploymentclient.conf")}
+$RESTART_CHECK = "$SPLUNKHOME\etc\restartds.txt"
+
+### Filter to attach timestamps where necessary
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+
+### Check to see if there is a deploymentclient.conf file under $SPLUNK_HOME\etc\apps and bail out if there isn't
+if ($DEPLOYED -eq "False") {
+    Write-output "No deploymentclient.conf detected in \$SPLUNK_HOME\etc\apps. Bailing out so the fowarder doesn't get orphaned." | timestamp
+} elseif ($LOCAL -eq "True") {
+    ### Remove the local "deploymentclient.conf" and flag
+    Write-output "Removed deploymentclient.conf from local system." | timestamp
+    Remove-Item -Path "$LOCAL"
+    Out-File -FilePath "$RESTART_CHECK"
+} else { 
+    Write-output "No deploymentclient.conf correction necessary." | timestamp
+}
@@ -0,0 +1,18 @@
+#!/bin/bash
+### Look for a deploymentclient.conf file in the apps directory and define the path to the restartds.txt file
+DEPLOYED_APP=$(find $SPLUNK_HOME/etc/apps -type f -name deploymentclient.conf | wc -l)
+LOCAL=$(find $SPLUNK_HOME/etc/system/local -type f -name deploymentclient.conf | wc -l)
+RESTART_CHECK=$SPLUNK_HOME/etc/restartds.txt
+
+### Check variables and take action accordingly
+if [ $DEPLOYED_APP = "0" ]; then
+        echo $(date -R) $HOSTNAME: No deploymentclient.conf detected in \$SPLUNK_HOME/etc/apps. Bailing out so the fowarder doesn\'t get orphaned.
+        exit
+elif [ $LOCAL = "1" ]; then
+		# Remove the deploymentclient.conf from $SPLUNK_HOME/etc/system/local
+		rm -f $SPLUNK_HOME/etc/system/local/deploymentclient.conf > /dev/null 2>&1
+		echo $(date -R) $HOSTNAME: Removed deploymentclient.conf from local system.
+		touch $RESTART_CHECK
+else
+		echo $(date -R) $HOSTNAME: No deploymentclient.conf correction necessary.
+fi
@@ -0,0 +1,42 @@
+### Capture current values for forwarder and configure file path variables for the system
+$SPLUNK_LOCAL = "$SPLUNKHOME\etc\system\local"
+$currentHost = Select-String $SPLUNK_LOCAL\inputs.conf -pattern "host = ([^$]+)" | Foreach-Object {$_.Matches} | Foreach-Object {$_.Groups[1].Value}
+$currentServer = Select-String $SPLUNK_LOCAL\server.conf -pattern "serverName = ([^$]+)" | Foreach-Object {$_.Matches} | Foreach-Object {$_.Groups[1].Value}
+$restartInputCheck = "$SPLUNKHOME\etc\restartinput.txt"
+$restartServerCheck = "$SPLUNKHOME\etc\restartserver.txt"
+
+### Filter to attach timestamps where necessary
+filter timestamp {"$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff') ${env:COMPUTERNAME}: $_"}
+
+### Compare values to actual host value and flag accordingly
+if (-not ($currentHost -eq $env:COMPUTERNAME)){
+    $correctHost="1"
+} else {
+    $correctHost="0"
+}
+
+if (-not ($currentServer -eq $env:COMPUTERNAME)){
+    $correctServer="1"
+} else {
+    $correctServer="0"
+}
+
+### Check flags and take appropriate actions for host name
+if ($correctHost -eq "1") {
+    Write-output "Currently configured host name: $currentHost. Reconfiguring inputs.conf..." | timestamp
+    Copy-Item -Path "$SPLUNK_LOCAL\inputs.conf" -Destination "$SPLUNK_LOCAL\inputs_$(Get-Date -Format 'MMddyyyy').bak"
+    (Get-Content -path $SPLUNK_LOCAL\inputs.conf -Raw) -replace $currentHost,$env:COMPUTERNAME | Set-Content $SPLUNK_LOCAL\inputs.conf
+    Out-File -FilePath "$restartInputCheck"
+} else {
+    Write-output "Currently configured host name: $currentHost. No correction necessary..."  | timestamp
+}
+
+### Check flags and take appropriate actions for server name
+if ($correctServer -eq "1") {
+    Write-output "Currently configured server name: $currentServer. Reconfiguring server.conf..." | timestamp
+    Copy-Item -Path "$SPLUNK_LOCAL\server.conf" -Destination "$SPLUNK_LOCAL\server_$(Get-Date -Format 'MMddyyyy').bak"
+    (Get-Content -path $SPLUNK_LOCAL\server.conf -Raw) -replace $currentServer,$env:COMPUTERNAME | Set-Content $SPLUNK_LOCAL\server.conf
+    Out-File -FilePath "$restartServerCheck"
+} else {
+    Write-output "Currently configured server name: $currentServer. No correction necessary..." | timestamp
+}
@@ -0,0 +1,24 @@
+#!/bin/bash
+### Capture the existing host and serverName values and define path to restart checkpoint file
+INPUTS_FILE=$SPLUNK_HOME/etc/system/local/inputs.conf
+SERVER_FILE=$SPLUNK_HOME/etc/system/local/server.conf
+CURRENT_HOST=$(cat $INPUTS_FILE | grep "host =" | awk '{printf $3}')
+CURRENT_SERVER=$(cat $SERVER_FILE | grep "serverName =" | awk '{printf $3}')
+RESTART_INPUT_CHECK="$SPLUNK_HOME/etc/restartinput.txt"
+RESTART_SERVER_CHECK="$SPLUNK_HOME/etc/restartserver.txt"
+
+### Compare those values and correct if necessary
+if [ $CURRENT_HOST = $HOSTNAME ]; then
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: Currently configured host name: $CURRENT_HOST. No correction necessary..."
+else
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: Currently configured host name: $CURRENT_HOST. Reconfiguring inputs.conf..."
+	cp $INPUTS_FILE $INPUTS_FILE.$(date +"%m%d%Y")
+	touch $RESTART_INPUT_CHECK
+fi
+if [ $CURRENT_SERVER = $HOSTNAME ]; then
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: Currently configured server name: $CURRENT_SERVER. No correction necessary..."
+else
+	echo "$(date +"%Y-%m-%d %H:%M:%S.%3N") ${HOSTNAME}: Currently configured server name: $CURRENT_SERVER. Reconfiguring inputs.conf..."
+	cp $SERVER_FILE $SERVER_FILE.$(date +"%m%d%Y")
+	touch $RESTART_SERVER_CHECK
+fi
@@ -0,0 +1,78 @@
+@echo off
+REM Define the original and new passwords here. To use automatic password generation, change NEWPASS to 'auto'
+SET OLDPASS=changeme
+SET NEWPASS=auto
+
+REM Settings for automatic password generation. Not used if NEWPASS is not set to 'auto'
+Setlocal EnableDelayedExpansion
+SET _RNDLength=16
+SET _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
+SET _Str=%_Alphanumeric%987654321
+
+REM Other variables relating to the checkpoint file and the path to test login and hostname for logging
+SET CHECKPOINT=%SPLUNK_HOME%\etc\pwd_changed
+SET LOGIN_COMMAND="%SPLUNK_HOME%\bin\splunk.exe" login -auth admin:%OLDPASS%
+FOR /F "usebackq" %%i IN (`hostname`) DO SET HOST=%%i
+
+REM Look for the checkpoint file and decide to error or continue
+IF EXIST "%CHECKPOINT%" (
+	goto NOCHANGE
+) ELSE IF "%NEWPASS%"=="auto" (
+	goto AUTOCHANGE
+) ELSE (
+	goto CHANGE
+)
+
+REM Attempt to login to local Splunk account. If successful, generate a new password and change it.
+:AUTOCHANGE
+FOR /F "tokens=2 usebackq" %%C in (`%LOGIN_COMMAND%`) DO SET LOGIN=%%C  
+:_LenLoop
+IF NOT "%LOGIN%"=="Failed" (
+IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop
+SET _tmp=%_Str:~9,1%
+SET /A _Len=_Len+_tmp
+Set _count=0
+SET NEWPASS=
+:_loop
+Set /a _count+=1
+SET _RND=%Random%
+Set /A _RND=_RND%%%_Len%
+SET NEWPASS=!NEWPASS!!_Alphanumeric:~%_RND%,1!
+If !_count! lss %_RNDLength% goto _loop
+"%SPLUNK_HOME%\bin\splunk.exe" edit user admin -password "%NEWPASS%" >NUL
+	goto AUTOSUCCESS
+) ELSE (
+	goto FAILED
+)
+
+REM Attempt to login to local Splunk account. If successful, generate a new password and change it.
+:CHANGE
+FOR /F "tokens=2 usebackq" %%C in (`%LOGIN_COMMAND%`) DO SET LOGIN=%%C 
+IF NOT "%LOGIN%"=="Failed" (
+"%SPLUNK_HOME%\bin\splunk.exe" edit user admin -password "%NEWPASS%" >NUL
+	goto SUCCESS
+) ELSE (
+	goto FAILED
+)
+
+REM Create the checkpoint file and log success. This will print the password in the log message passed back to Splunk.
+:AUTOSUCCESS
+echo %date% %time% %HOST%: Splunk account password successfully changed. > "%CHECKPOINT%"
+echo %date% %time% %HOST%: Splunk account password successfully changed. Automatic password: %NEWPASS%
+exit
+
+REM Create the checkpoint file and log success.
+:SUCCESS
+echo %date% %time% %HOST%: Splunk account password successfully changed. > "%CHECKPOINT%"
+echo %date% %time% %HOST%: Splunk account password successfully changed.
+exit
+
+REM Login failure
+:FAILED
+echo %date% %time% %HOST%: Splunk account login failed. Old password is not correct for this host.
+exit
+
+REM Log that the checkpoint file exists
+:NOCHANGE
+echo %date% %time% %HOST%: Splunk account password was already changed.
+exit
@@ -0,0 +1,30 @@
+#!/bin/bash
+# Define the original and new passwords here. To have a password automatically generated, set NEWPASS to 'auto'
+OLDPASS=changeme
+NEWPASS=auto
+
+# Look for the checkpoint file and error out if it exists
+if [ -f $SPLUNK_HOME/etc/pwd_changed ]
+then
+        echo $(date -R) $HOSTNAME: Splunk account password was already changed.
+        exit
+fi
+
+if [ "$NEWPASS" = "auto" ]
+then
+	NEWPASS=$(head -c 500 /dev/urandom | sha256sum | base64 | head -c 16 ; echo)
+	NEWPASSAUTO=$(echo Automatic password: $NEWPASS)
+fi
+
+# Change the password
+$SPLUNK_HOME/bin/splunk edit user admin -password $NEWPASS -auth admin:$OLDPASS > /dev/null 2>&1
+
+# Check splunkd.log for any error messages relating to login during the script and determine whether the change was successful or not
+CHANGED=$(tail -n 10 $SPLUNK_HOME/var/log/splunk/splunkd.log | grep pwchange | grep Login)
+if [ -z "$CHANGED" ]
+then
+	echo $(date -R) $HOSTNAME: Splunk account password successfully changed. $NEWPASSAUTO
+	echo $(date -R) $HOSTNAME: Splunk account password successfully changed. > $SPLUNK_HOME/etc/pwd_changed
+else
+	echo $(date -R) $HOSTNAME: Splunk account login failed. Old password is not correct for this host.
+fi