Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deploying wmi.conf for windows universal forwarders with deployment-server

dturner83
Path Finder
‎04-22-2012 07:48 AM

I need a little help with the ability to deploy wmi.conf to my clients.

As I understand the wmi.conf must go into the /etc/system/local folder on the windows client. How do I put this file in there OR tell splunk to look in the /etc/apps/[deployment-client app] folder which gets put there properly, for the wmi.conf file?

Splunk 4.3.1 with deployment-server, have about 30 windows universal forwarders with proper serverclass.conf

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

iunderwood
Path Finder
‎07-27-2012 08:13 AM

I apologize for being late to the party, as it were.

Use your deployment server properly and create an app for the WMI stuff. In this case, we'll call it winsvr-localwmi. Place your wmi.conf in the default directory:

$SPLUNK_HOME/etc/apps/deployment-apps/winsvr-localwmi/default

If you don't have the input defined, you'll need an inputs.conf in the same directory:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

Lastly, be sure your universal forwards restart after the change, or you might end up scratching your head. I made a server class for all my Windows machines. Since my Splunk installation is all RHEL, all my Windows boxes are UFs only.

I put this in my serverclass.conf:

[serverClass:Forwarder_Universal_Windows]
blacklist.0 = *
disabled = 0
filterType = blacklist
machineTypes = windows-intel,windows-x64
restartSplunkd = True

Posting this anyway because I hate finding answers more than once. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

iunderwood
Path Finder
‎07-27-2012 08:13 AM

I apologize for being late to the party, as it were.

Use your deployment server properly and create an app for the WMI stuff. In this case, we'll call it winsvr-localwmi. Place your wmi.conf in the default directory:

$SPLUNK_HOME/etc/apps/deployment-apps/winsvr-localwmi/default

If you don't have the input defined, you'll need an inputs.conf in the same directory:

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

Lastly, be sure your universal forwards restart after the change, or you might end up scratching your head. I made a server class for all my Windows machines. Since my Splunk installation is all RHEL, all my Windows boxes are UFs only.

I put this in my serverclass.conf:

[serverClass:Forwarder_Universal_Windows]
blacklist.0 = *
disabled = 0
filterType = blacklist
machineTypes = windows-intel,windows-x64
restartSplunkd = True

Posting this anyway because I hate finding answers more than once. 🙂

Reply
Solved! Jump to solution

aojie654
Path Finder
‎12-16-2018 09:31 PM

A great idea that work perfectly!

0 Karma
Reply
Solved! Jump to solution

dturner83
Path Finder
‎07-30-2012 01:11 PM

WOW iunderwood this works perfectly. Thank you very much.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...