https://community.splunk.com/t5/Getting-Data-In/On-Windows-can-I-use-different-credentials-to-pull-WinEvents-via/m-p/30534#M5348 <P>Splunk uses the account it runs under to pull remote WMI.</P> <P>You have the following options available for remote WMI at this point:</P> <UL> <LI>In a multi domain scenario you ideally would configure domain or even forest level trust relationships so that your splunk service account can accees remote WMI across domain boundaries.</LI> <LI>In a workgroup scenario you can create accounts on the remote machines that are identically named to the splunk service account and have the same password. Remote WMI will then work with this account.</LI> <LI>You could try to create your own scripted input. For example you could create a PowerShell script that pulls the remote WMI events using credentials different from the splunk service account.</LI> </UL> <P>If domain trusts and in a workgroup scenario identical logins aren't an option, then forwarders, custom scripted inputs, or forwarding the events via syslog (e.g. winlogd) are your only options. Separate WMI credentials within splunk sound like a great ER though.</P> Mon, 16 Aug 2010 22:10:47 GMT ftk 2010-08-16T22:10:47Z https://community.splunk.com/t5/Getting-Data-In/On-Windows-can-I-use-different-credentials-to-pull-WinEvents-via/m-p/30533#M5347 <P>Does Splunk have the ability to use different sets of credentials for different monitoring on Windows? </P> <P>It appears only one credential can be used for WMI to pull Windows events from across the environment and no local credentials can be used. </P> <P>For instance, if I have Windows machines on several different domains as well as local DMZ workgroups, I will probably have one than one user account (they won't all be the same). </P> <P>Also, we may not have the ability to deploy agents out as LWFs, just so you know.</P> Mon, 16 Aug 2010 20:40:25 GMT https://community.splunk.com/t5/Getting-Data-In/On-Windows-can-I-use-different-credentials-to-pull-WinEvents-via/m-p/30533#M5347 maverick 2010-08-16T20:40:25Z https://community.splunk.com/t5/Getting-Data-In/On-Windows-can-I-use-different-credentials-to-pull-WinEvents-via/m-p/30534#M5348 <P>Splunk uses the account it runs under to pull remote WMI.</P> <P>You have the following options available for remote WMI at this point:</P> <UL> <LI>In a multi domain scenario you ideally would configure domain or even forest level trust relationships so that your splunk service account can accees remote WMI across domain boundaries.</LI> <LI>In a workgroup scenario you can create accounts on the remote machines that are identically named to the splunk service account and have the same password. Remote WMI will then work with this account.</LI> <LI>You could try to create your own scripted input. For example you could create a PowerShell script that pulls the remote WMI events using credentials different from the splunk service account.</LI> </UL> <P>If domain trusts and in a workgroup scenario identical logins aren't an option, then forwarders, custom scripted inputs, or forwarding the events via syslog (e.g. winlogd) are your only options. Separate WMI credentials within splunk sound like a great ER though.</P> Mon, 16 Aug 2010 22:10:47 GMT https://community.splunk.com/t5/Getting-Data-In/On-Windows-can-I-use-different-credentials-to-pull-WinEvents-via/m-p/30534#M5348 ftk 2010-08-16T22:10:47Z