topic Re: Splunk on Linux making WMI queries to Windows servers in Getting Data In

Splunk on Linux making WMI queries to Windows servers

maverick — Wed, 15 Sep 2010 23:50:47 GMT

I have Splunk running on a Linux server and I need to index WMI-based events, like perfmon data, from my Windows servers, but I am not allowed to install Splunk as a Forwarder on my Windows boxes.

Therefore, I was wondering if anyone has successfully used a WBEM type client on Linux to do this (i.e. similar to how Cacti does it, I think) or if anyone is aware of some other similar type workaround for Linux that would allow me to make the proper remote WMI calls to my Windows servers to get the perfmon info I need?

Re: Splunk on Linux making WMI queries to Windows servers

dwaddle — Thu, 16 Sep 2010 00:09:04 GMT

Can you install just one Windows machine w/ a Splunk forwarder on it, and use it as a bridgehead to perform WMI queries against all of your other Windows machines? It may be a lot less work than trying to build something using a generic WBEM client on Linux.

Re: Splunk on Linux making WMI queries to Windows servers

maverick — Thu, 16 Sep 2010 00:33:53 GMT

Yes and I've done that. However, in this specific use case, I am NOT allowed to install Splunk on Windows. Therefore, just curious about any workarounds, even if temporary.

Re: Splunk on Linux making WMI queries to Windows servers

dwaddle — Thu, 16 Sep 2010 02:25:16 GMT

It looks like the cacti guys are depending on at least on Windows bridgehead node. WMI is WBEM, but in normal microsoft fashion, it's also not. The difference is the transport. "Normal" WBEM uses a vanilla TCP port, while WMI uses DCOM. It looks like there is a moderately popular WBEM/WMI proxy server called 'wmimapper' ( http://tinyurl.com/34c4mwh ) that bridges the TCP/DCOM gap for you. This is what cacti and some of HP's system management software uses. Of course, it needs to run on a Windows machine to be able to speak DCOM

Re: Splunk on Linux making WMI queries to Windows servers

dwaddle — Thu, 16 Sep 2010 02:33:33 GMT

One other option appears to be some code in ZenOSS. The ZenOSS folks have apparently taken some samba code and put together a working WMI client for *nix that does not need a wmimapper. You might have luck with that .. http://dev.zenoss.com/trac/log/trunk/wmi/

Re: Splunk on Linux making WMI queries to Windows servers

cervelli — Thu, 14 Oct 2010 01:09:38 GMT

Overall, it's far, far more trouble than it's worth. As dwaddle points out, you need either a native WMI mapper, or a wbem client on the local windows box. (how that isn't as or more invasive than our or another agent is unclear).

If for some reason you did go down the wbem mapper, there is also OpenPegasus. http://www.openpegasus.org/ At least then you could write a scripted input from the command line use wbemmapper.

Note that you still need a PAM or other form of cross-compatible authentication as well for your Linux box to communicate with the box. Note that later versions of Windows (2008, W7) will have to have their security severely degraded significantly.

Re: Splunk on Linux making WMI queries to Windows servers

jeffwarn — Thu, 10 Mar 2011 05:39:44 GMT

I was able to compile the wmic source code from zenoss on my indexing server and I can pull WMI data using something like:

wmic -U 'USER%PASS' //WINDOWS-SERVER "select * from win32_service"

Running that script will pull down a number of lines such looking like:

The only issue I have at this point is finding a way to actually make this information useful inside splunk. Right now it's just the big jumble that you see above (with more lines of logging). I tried installing the Windows App , but that did not seem to do anything useful to the data.