topic Re: WMI Log Collection in Security

WMI Log Collection

ricksimonds — Tue, 13 Jul 2010 02:39:48 GMT

Splunk is installed in a Windows Domain. The service accounts are running as a Domain Admin. The authentication for the Web Manager is LDAP and is logged into using Domain Admin cridentials.

WEBTEST is successful from a cmd line. When I configure remote Windows Log collection via WMI I get the following errors:

07-12-2010 15:08:09.033 ERROR AdminManager - Unexpected error "" from python handler: "winmgmts:{impersonationLevel=impersonate,authenticationLevel=default}//ServerName/.Win32_NTEventlogFile". See splunkd.log for more details. 07-12-2010 15:08:43.745 ERROR ExecProcessor - message from "python "C:\Program Files\Splunk\bin\scripts\splunk-wmi.py"" python: can't open file 'C:\Program Files\Splunk\bin\scripts\splunk-wmi.py': [Errno 2] No such file or directory

Re: WMI Log Collection

gkanapathy — Tue, 13 Jul 2010 02:58:51 GMT

I guess, first of all, does that file C:\Program Files\Splunk\bin\scripts\splunk-wmi.py exist? If so, who owns it, and does the Splunk user have sufficient access all the way up to the file? If you changed the service account after installation, it's likely/probably that some file permissions are too restricted to the original account.

Re: WMI Log Collection

ricksimonds — Wed, 14 Jul 2010 02:35:10 GMT

C:\Program Files\Splunk\bin\scripts\splunk-wmi.py does not exist. I'm a newbie, shouldn't that have been there as part of the install? Where would I find that file or add it to the directory? Thanks

Re: WMI Log Collection

mneethling — Wed, 11 Aug 2010 19:31:55 GMT

The splunk-wmi.py file gets installed when you install the Splunk Windows App. Enable the app from the launcher app.