topic Re: Monitor Windows event log via WMI to splunk in Getting Data In

Monitor Windows event log via WMI to splunk

splk_user — Fri, 16 Jun 2023 08:26:00 GMT

Hi,

Is it possible to monitor Windows event log via WMI to splunk instead of using Universal Forwarder?

if yes, how can i configure this communication.

Thanks.

Re: Monitor Windows event log via WMI to splunk

gcusello — Fri, 16 Jun 2023 08:37:04 GMT

Hi @splk_user,

yes it's possible even if I try to avoid to use WMI because you must use a domain user to acces the remote systems.

In addition a Universal Forwarder gives you many additional feature like local caching, packets compression, bandwidth optimization, etc...

Anyway, here you can find the procedure to configure a WMI input: https://docs.splunk.com/Documentation/Splunk/9.0.5/Data/MonitorWMIdata

Ciao.

Giuseppe

Re: Monitor Windows event log via WMI to splunk

PickleRick — Fri, 16 Jun 2023 09:10:45 GMT

You can use WMI to pull EventLog from remote computer but you sitll have to install that windows splunk component which will be doing the pulling (UF or HF) somewhere.

There are several methods of collecting windows EventLogs.

The easiest and most straightforward way is to install UF on a monitored server and pull events directly from local eventlog. But it might create issues of scalability and windows admins might not be thrilled if you want to install third-party tools on domain controllers or other important servers.

Another relatively well working idea is to use Windows Event Forwarding (easy to set up in a domain environment, can be also confuigured in domainless setup but then it gets complicated but still possible) and pull windows from a central eventlog collector. I use it quite a lot. Be aware of possible performance issues as you scale horizontally too far.

WMI can be used to pull from remote computers but that's generally a last resort solution. Performance is not very good, you _must_ run the UF with domain account (which implies that it can only be used in domain environment) and there are often issues with permissions/privileges so it might be tricky to set up unless you have a very good windows admin team.

The solution which can be used but honestly speaking should never even be considered is using a third party forwarder (typically a syslog one like kiwi, solarwinds or nxlog). This way you might relatively easily get your logs and syslog is easy to receive but the events you get this way will be horribly mangled and not suitable for typical slplunk-side processing (meaning they will not be understandable by TA-windows).