I have a question about how to get a universal forwarder to send the data I would normally recieve from WMI. I am trying to get remote performace monitoring from the universal forwarders. I currently have 3 servers with universal forwarders installed on them and one indexer. After the initial install I can't seem to change any setting with the universal forwarders. Should I add the servers to the event log collection with WMI? And if i were to do that would the data be sent through the Universal Forwarders? All of the servers are Windows based.
one more thing: inputs.conf and wmi.conf will both pull Windows Event logs with two different sourcetypes, you might want to diable one of them to avoid duplicated events. The Windows app dashboard uses input from inputs.conf, so I suggest to disable the inputs from wmi.conf, events with sourcetypes: [WMI:LocalApplication], [WMI:LocalSystem], [WMI:LocalSecurity]
Are you getting any data at all from the UF to the indexer?
If so are you trying to use deployment server to send configuration for WMI to UF
If you just want to setup WMI on just the three UF systems and they are already sending logs then just setup a WMI.CONF file in the etc/system/local directory the WMI.conf file will tell the UF what to collect.
Use this type of stanza in the WMI.conf file
interval = 5
disabled = 0
server = localhost
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32PerfFormattedDataPerfOSProcessor WHERE Name = "Total"
Yeah I am recieving data from the UF just not everything I'm wanting.
By the end of the year we will be using Splunk to monitor over 300 servers so we are just testing and configuring right now.
I will give that a try.