Getting Data In

How to enable WMI data collection on a Domain Server

pmelchiori
Explorer

Hi, I've a problem with the WMI privilege on a Domain Controller running Win 2003 R2. This is what I done:

  • Add user to the groups Performance Log Users and Distributed COM Users Domain groups.
  • Add Splunk's user to the Distributed COM Users local group
  • Enabled all permissions on the WMI tree at root for the Splunk user.
  • no firewall between the pc and the server.

    I can't add my special user to the administrator's group, but if I do everyting works correctly.

There are other Group Policy to enable? other setting to change? thanks

Tags (3)

malmoore
Splunk Employee
Splunk Employee

So I've been working specifically on unraveling the mystery around this, and after a bit of trial and error, this is the solution I have come up with to get it working.

  1. First I made a domain group that will have the access I have assigned. Always better to do this because you never want to assign users to local member server (or domain controller) groups, or hang users directly on ACLs, it's a PITA security-wise and will assuredly bite you in the rear-end later. I'll call this group Splunkers.

  2. Then, I put the Splunk user into this group.

  3. Then, I started assigning permissions.

First place to start: Putting the newly created Splunkers group in the appropriate domain groups (as shown above):

  • Performance Log Users
  • Distributed COM Users

Next: Assign Splunkers some rights. Since this is a domain controller, you need to run the Default Domain Controller Security Settings snap-in (dcpol.msc).

  • Once inside, expand Security Settings, then Local Policies, and finally User Rights Assignment.
  • Assign your new group at least the following rights:
    • Act as part of the operating system
    • Log on as a batch job
    • Log on as a service
    • Replace a process level token

Okay, now you need to set DCOM security. Start up Component Services from Start, -> Administrative Tools.

  • Once there, expand Console Root, then Computers, and finally My Computer. Right-click on My Computer and select "Properties..."
  • In the window that appears, click on the COM Security tab.
  • Then, under "Access Permissions," click Edit Limits.
  • Review that the Distributed COM Users group has all items checked under Allow.
  • At this point, you can add your new domain group Splunkers to this list and ensure that they have full Allow access as well, but it is not required, since Splunkers is a member of Distributed COM Users.
  • Once you've reviewed or added the group, click OK to save your changes and be returned back to the COM Security tab.
  • Now, under "Launch and Activation Permissions", click Edit Limits.
  • Like with the "Access Permissions" window, you are presented with a number of groups and permissions. You need to make sure that the Distributed COM Users group has all items checked under Allow.
  • If you want, you can also add the Splunkers group here, and assign full Allow access. It is not required, since Splunkers is already a member of Distributed COM Users.
  • Click OK to save your changes.

All right, next, you need to set WMI namespace security. From the Start menu, select Run..., and in the window that opens, type in wmimgmt.msc in the "Open:" field and click OK.

  • Once there, right-click on WMI Control (Local) and click Properties.
  • Click on the Security tab.
  • Click on the Security button at the bottom right of the window. This action edits the security settings for the Root WMI namespace.
  • You'll now see a window that has the security settings for WMI on this machine. Click Advanced... Yes, you need to do this.
  • You'll now see the Advanced security settings for this WMI namespace. You'll need to add the Splunkers group to the list, and give at least the following "Allow" permissions:
    • Execute Methods
    • Enable Account
    • Remote Enable
    • Read Security
  • Then, you need to make sure that these permissions apply to this namespace and all the namespaces under it. Do that by selecting This namespace and subnamespaces in the dropdown box above the permissions list.
  • Click OK to save the new permissions.
  • Then, click OK again to exit out of the Advanced Security Settings.
  • Click OK a third time to exit the security properties.

Now that you've set WMI namespace security, make sure that you've disabled Windows Firewall/ICS services on both the Splunk server and the server you wish to get data from over WMI.

Once you've done all that, you will need to bounce Splunk. After Splunk has been restarted, you should then be able to create WMI data inputs off of your domain controller.

A few notes about this:

  • I've tested this on a Windows 2003 R2 DC with Windows 2003 member servers running the Splunk service. With Windows 2008, things are a little different (think UAC). I'm working on what else needs to be done to get this running in Windows 2008.

  • There's no non-esoteric way at this time to globally configure WMI security settings domain-wide. Each machine has its own setting. There is an MSDN blog, however, that lists the steps you can take to create a script that contains the appropriate security descriptors, which you can then subsequently throw into a GPO as a startup script and have your computers get the updated security settings at boot time.

  • If you're collecting event logs over WMI - and, in particular, the Security event log - you'll need to enable access to that log on the machine you're collecting the logs from. This is not trivial (think, SDDL knowledge and INF file edits if you're thinking about putting it in a GPO).

ftk
Motivator

Just got done reading through the convoluted stream of answers and comments again.

To sum it up, your problem is:

  1. If you add the account to the Domain Admin group, you can poll WMI fine, but your sysadmin does not allow this configuration.
  2. You followed the manual in setting this up for a non admin account

Now when you say it doesn't work, do you mean querying via splunk cmd splunk-wmi -wql "select * from win32_service" -namespace \\<server>\root\cimv2 or via a different method? If you run the splunk cmd, do you receive an error? If so, can you please post that error?

If you are not getting anything, or rather, if you are getting something similar to this:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

Then you probably left the initial splunk off of the splunk cmd command and just invoked another shell with cmd.

Please also post details on the account you are running the polling splunk instance as. Domain account, local account, local SYSTEM account?

0 Karma

reini
New Member

I have the same problem getting wmi data from a Windows 7 machine. With a Windows XP machin everything works fine.

It maybe is a uac problem but I could not find any documentation that describes how to configure it so that it works for remote wmi access.

Has anyone a solution found?

Thanks in advance.

Reini

0 Karma

pmelchiori
Explorer

Thanks ftk, this is the result:

ERROR WMI - Error occurred while trying to retrive results from a WMI query (error="Call failed." HRESULT=80041001) (.: select * from win32_service)
ERROR WMI - Giving up attempt to connect to WMI provider after maximum number of retries at maximum backoff time (.: select * from win32_service)

Clean shutdown completed

Instead, with the administrator's account, everything works fine.

0 Karma

ftk
Motivator

Saw that many answers revolve around adding the account to the Local Administrators group on the DC. This is indeed possible on a 2003 DC. Simply add the user to the BUILTIN\Administrators group on the DC.

One thing to note is that the Domain Admins group is a member of BUILTIN\Administrators group, so if you already added the account to Domain Admins the account should have (out of the box) loca admin privs on the DC.

0 Karma

pmelchiori
Explorer

I can't add my user to the administrators group, company policy.

0 Karma

simuvid
Splunk Employee
Splunk Employee

I had a similar question.

See also the answers I got:

http://answers.splunk.com/questions/4226/splunk-on-a-domain-controller

Hope it's also useful for you.

Cheers,

Christian

klkumar10
Explorer

Add the user the following:

Add User to the groups Performance Log Users

Add User to the Group of Distributed COM Users

Open Local Security Policy (Start -> All Programs -> Administrative Tools -> Local Security Policy)

Select -> Secutiy Settings -> Local Policies -> User Rights Assignment -> Manage Auditing and Security Log

Add the user to that policy Manage Auditing and Security Log, that will solve your problem.

pmelchiori
Explorer

Done, nothing changes... any other ideas?

0 Karma

pmelchiori
Explorer

Thanks, I'll try it soon!

0 Karma

igor
Splunk Employee
Splunk Employee

You have to run Splunk with an account that has local Administrator privileges. See http://www.splunk.com/base/Documentation/latest/Installation/InstallonWindowsviathecommandline#Choos....

igor
Splunk Employee
Splunk Employee

In my experience, if you have an AD user that is a member of the DC's "Domain Admin" group, processes that run as the AD user will run with local Administrators group privilege as well. I suggest adding the "Domain Admin" group to that user and trying again.

pmelchiori
Explorer

DC server doesn't have the Local Admins!

0 Karma

pmelchiori
Explorer

Exactly, I try to put in the Administrators group, and it works fine, but the system administrator doesn't give me the permission to use forever this way.

0 Karma

Ledio_Ago
Splunk Employee
Splunk Employee

Looking at MSDN: http://msdn.microsoft.com/en-us/library/aa389290%28v=VS.85%29.aspx

"...Windows Server 2003, Windows XP, and Windows 2000: The account on Computer B must be in the Administrator group, but a domain account is not required...."

From this document it sounds like the user running Splunk has to be in the Administrative group to be able to connect to WMI remotely. The same user context that Splunk is running as will be used to log in to remote box and connect to WMI

0 Karma

pmelchiori
Explorer

I've already give to my user the DCOM permission! The only think is that quen I test the WMI the answer to the query is empty! not an error...

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Sorry, this sounds like that's what Windows requires. It does not entirely surprise me. It is possible that you can fiddle around with settings in the DCOMCNFG.EXE application to make it work with a non-Administrator group, but this is something probably more readily answered at a Windows-specialist site.

0 Karma

pmelchiori
Explorer

This is the main point!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Well, but note that if the computer is a DC, then the Administrator group is the Domain Administrator group.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't understand what you mean by "you can't add" but "it works correctly" if you do. You mean you are not allowed to, and you are trying to see if there is another way to do it besides adding the user to to group?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...