- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-on for Microsoft Windows | How to a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for Microsoft Windows | How to add all the hosts without listing each for remote windows host monitoring via WMI?
Splunk is at Windows Server 2012 with admin role, i'm trying to collect remote logs via WMI.
Splunk Add-on for Microsoft Windows
My stesp:
add data => remote event logs => collect the same set of logs from additional hosts
in paragraph 9 of Configure remote event log monitoring http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorWindowseventlogdata
said that i must Separate multiple machines with commas. but writing each of them takes a lot of time and they often change.
how to add all the hosts without listing each.
i can't put "*", i cant put net/subnet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's just one of the reasons why using WMI isn't exactly recommended for larger (and dynamic) environments.
Ideally, you would use your existing software deployment tooling (e.g. Microsoft SCCM or whatever your organization uses) to install a Splunk Universal Forwarder on each system that needs to be monitored and then use a Deployment Server to manage the configuration of all those UFs.
An alternative could be to look at Windows Event Forwarding, which is a Windows built in mechanism that can be configured through GPOs, for forwarding events from all your windows hosts to a select set of so called Collectors and then install a splunk forwarder on those collectors to send the data into splunk. But both in scalability and data quality this solution is inferior to using UFs on each windows system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the answer, but using UF for each users workstation is not a good solution either.
I also understand that WMI is a bad tone rule.
but the question about adding a large number of devices in the field "collect the same set of logs from additional hosts"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I realize I didn't really answer your question. But the basic answer is no, you would have to specify each individual host in that field. WMI config needs to be specified on a host by host basis (which is why it isn't very practical in large (dynamic) environments etc.).
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
