topic Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux? in Getting Data In

Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

smvalois — Wed, 01 Oct 2014 18:58:55 GMT

I currently am running splunk enterprise on a Linux Distribution (Red Hat). I am following the guide to import WMI data to splunk, and there is no "Remote event log collections".

Deployment: Linux
Forwarder: Windows 7 (64 bit)

Is it possible to use WMI on a Windows forwarder and send it to indexer / search heads running linux?

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

ekost — Wed, 01 Oct 2014 20:29:07 GMT

Yes, you can use a forwarder to collect data via WMI and send the results to a linux-based Splunk instance. Check the table here for what is required to monitor hosts using WMI. That topic includes a wmi.conf example. The reasons for collecting data via WMI instead of using forwarders must be evaluated and the trade-offs reviewed.

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

smvalois — Thu, 02 Oct 2014 14:00:46 GMT

We operate in an environment where agents are viewed as evil. I do not personally agree with that, but will take the wins where I can get them. According to that table, splunk enterprise must be running on windows. My linux enterprise version does not list "Remote Event Log Collections" as an option under data inputs. Is there an addon I have to install?

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

MuS — Thu, 02 Oct 2014 14:08:27 GMT

Hi,

snip of @ekost's answer: Yes, you can use a forwarder to collect data via WMI and send the results to a linux-based Splunk instance.

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

smvalois — Thu, 02 Oct 2014 15:09:38 GMT

Sorry, I know I sound like a broken record here. The issue is following the instructions to get this setup. The link is here:

http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/MonitorWindowsdata

Under "Configure remote event log monitoring", it says go to Data Inputs and click Remote Event Log Collections. That option is not there. All I have is TCP, UDP, Local File and Scripts. Is there something else I need to install for that to show up?

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

ekost — Thu, 02 Oct 2014 17:41:24 GMT

I'm guessing you attempted to configure Remote event log collections from a linux box.

Here's what I did: Start up an ancient Windows VM, dropped in a copy of Splunk 6.1.4 and ran an install.
Once installed, I went to Settings > Data Inputs and chose Remote event log collections.
I configured a remote connection in the UI, which updates a couple .conf files and restarted the services.
I verified data was coming into the instance.

Now I have a choice:

I can turn my full Splunk instance into a Light or Heavy forwarder, point it at the indexer, and let that instance poll other nodes over WMI and forward the data.
I can collect all the .conf file pieces, and place them into a pre-configred Windows Universal forwarder installation.

You can read about the different forwarders here.
You can review common troubleshooting tips for WMI connections here.

Re: Is it possible to use WMI on a Windows universal forwarder and send it to indexers and search heads running Linux?

smvalois — Thu, 02 Oct 2014 18:42:29 GMT

Thank you, this is similar to the method I used as well. I basically made the WMI.conf file on my windows forwarder (dropping a full version would have probably been much easier).