All Apps and Add-ons

Splunk Add-on for Microsoft Windows | How to add all the hosts without listing each for remote windows host monitoring via WMI?

virchenko
Explorer

Splunk is at Windows Server 2012 with admin role, i'm trying to collect remote logs via WMI.
Splunk Add-on for Microsoft Windows

My stesp:
add data => remote event logs => collect the same set of logs from additional hosts

in paragraph 9 of Configure remote event log monitoring http://docs.splunk.com/Documentation/Splunk/7.1.1/Data/MonitorWindowseventlogdata
said that i must Separate multiple machines with commas. but writing each of them takes a lot of time and they often change.
how to add all the hosts without listing each.
i can't put "*", i cant put net/subnet.

0 Karma

FrankVl
Ultra Champion

That's just one of the reasons why using WMI isn't exactly recommended for larger (and dynamic) environments.

Ideally, you would use your existing software deployment tooling (e.g. Microsoft SCCM or whatever your organization uses) to install a Splunk Universal Forwarder on each system that needs to be monitored and then use a Deployment Server to manage the configuration of all those UFs.

An alternative could be to look at Windows Event Forwarding, which is a Windows built in mechanism that can be configured through GPOs, for forwarding events from all your windows hosts to a select set of so called Collectors and then install a splunk forwarder on those collectors to send the data into splunk. But both in scalability and data quality this solution is inferior to using UFs on each windows system.

0 Karma

virchenko
Explorer

thanks for the answer, but using UF for each users workstation is not a good solution either.
I also understand that WMI is a bad tone rule.
but the question about adding a large number of devices in the field "collect the same set of logs from additional hosts"

0 Karma

FrankVl
Ultra Champion

Sorry, I realize I didn't really answer your question. But the basic answer is no, you would have to specify each individual host in that field. WMI config needs to be specified on a host by host basis (which is why it isn't very practical in large (dynamic) environments etc.).

0 Karma