Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to forward WMI:WinEventLog:Security data f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to set up WMI on a universal forwarder, however, I am only getting WMI:CPUTime. The WMI:WinEventLog:Security is not working though. I tried following http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/MonitorWMIdata but that is for all Windows servers, and not Linux.
My setup
Search head and main UI on Linux
2 distributed indexers also on Linux
Servers to monitor are on Windows
My wmi.conf file is on a Windows server that has universal forwarder installed. (All other logs being sent from this server are coming in)
[WMI:CPUTime]
interval = 10
disabled = 0
server = localhost
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name = "_Total"
[WMI:WinEventLog:Security]
interval = 10
disabled = 0
server = localhost
event_log_file = Security
Do I need to set something else up for security to work? What can I check to verify the event_log_file is being created? Is there a way I can use the wql parameter with security instead, since that works for the CPUTime?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wmi.conf only one facet of the config. Where are you forwarding to the data to? Are you segregating data type by index? Do the indexes exist? Does the user doing the searching have access rights to all the necessary indexes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wmi.conf only one facet of the config. Where are you forwarding to the data to? Are you segregating data type by index? Do the indexes exist? Does the user doing the searching have access rights to all the necessary indexes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue was solved when the service user for splunk had it's permissions updated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello, thank you for your response, here are my answers to your questions.
I am forwarding the data from the server to 2 distrubuted indexers that are both linux machines. The only logs not going through are the WMI security. Other logs being monitored, as well as the WMI CPUTime are getting through
I do have multiple indexes, but only non WMI log files are being split to different indexes, the WMI comes in on main index
Yes the indexes exist
I am using my account which has full access to all indexes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another question occurs to me, but not being Windows-centric I have no idea of the likely answer or how to find it: are there Windows access restrictions in force preventing the forwarder from obtaining the WMI security records?
Clearly if you are seeing other Splunk entries from the machine in question, there is no network fault in play.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
