I'm trying to configure splunk to collect system and security logs via WMI from workstations. I don't know who is at work and who is away, and its a fairly large estate (512 ip addresses) of which maybe only 50% may be switch on at any one time. They are all mostly off at night.
Looking at the settings stanza for WMI.CONF I see
[settings] * The settings stanza specifies various runtime parameters. * The entire stanza and every parameter within it is optional. * If the stanza is missing, Splunk assumes system defaults. initial_backoff = * How long to wait (in seconds) before retrying the connection to the WMI provider after the first connection error. * If connection errors continue, the wait time doubles until it reaches max_backoff. * Defaults to 5. max_backoff = * Maximum time (in seconds) to attempt reconnect. * Defaults to 20. max_retries_at_max_backoff = * Try to reconnect this many times once max_backoff is reached. * If reconnection fails after max_retries, give up forever (until restart). * Defaults to 2.
Which (if I understand it correctly) means it will retry each IP as follows
5s 10s 20s 20s 20s give up forever.
Which is obviously useless, as any machine that is off overnight will be given up on forever. Am I reading this right ? Is there any way around it ?
I think your logic is sound. Hence if you set
max_retries_at_max_backoff = 10000
you should be fine..
I think your logic is sound. Hence if you set
max_retries_at_max_backoff = 10000
you should be fine..
We've not been able to get this to work reliably, even splitting the collection up into groups of 50 ips, so are switching to a lightweight forwarder approach.
Will this wait for 10000 backoff limits before trying the next IP address ? Or are the requests sent concurrently ?
not sure if there is a max amount that you should use, but if the docs do not say, i take it there is not.