Getting Data In

How to get WMI data collection by providing to splunk the remote host credentials ?

hassanadel
Explorer

Hi, How to get WMI data collection by providing to splunk the remote host credentials?

Both machine are on the same network, no firewall, windows 2003 server installed, i don't want to install any client on the remote host. Service updated to log on as administrator. wbemtest.exe work successfully with credentials.

I am getting this error: Failed to fetch data: In handler 'win-wmi-find-collection': Unable to get wmi classes from host '10.31.2.169': -0x7ff8fffb - Access is denied. Make sure WMI is configured correctly.

Is there any way to add remote host credential in inputs.conf or wmi.conf ?

Thank you very much for your help !!!

Tags (2)

edixon15
New Member

I resolved this by changing the Splunkd service "log in" from local account to the the local pc administrator account.

Issue resolved.

0 Karma

tcambridge
Engager

Hello,

I was getting the same error. Even though I am on a domain, the problem turned out to be the actual splunkd service account.

The service account credentials must have administrative privileges on any remote machine that you wish to pull data from, whether it is in a domain or not. Once you use an account that has admin privileges to run the splunkd service, restart the service and try again.

Good luck!

travistrp
Explorer

This below response does work... I have deployed like that on special use case instances and just be sure that you use the same local user name as your account you have on the Splunk Indexer and you should be ok. Last Case Restort I would use this method but it works..

If you're not in a domain this might work: run splunk as a local user. On the remote server create a user with access to remote WMI with the same username/password. This might work. If not the only option you have is try to allow the remote computer account access to WMI, but that's a big security hole. I think from a security perspective you would be best server putting all of these machines in a domain. – ftk Jun 18 at 19:08

0 Karma

ftk
Motivator

You will need to install splunk under a domain account that has sufficient access rights on the remote Windows server to poll for WMI data.

For more information please take a look at the documentation: http://www.splunk.com/base/Documentation/latest/Admin/MonitorWMIdata

ftk
Motivator

If you're not in a domain this might work: run splunk as a local user. On the remote server create a user with access to remote WMI with the same username/password. This might work. If not the only option you have is try to allow the remote computer account access to WMI, but that's a big security hole. I think from a security perspective you would be best server putting all of these machines in a domain.

hassanadel
Explorer

The issue is that using wbemtest.exe with the credentials of the remote host, i am able to execute query and get data. I need a way to provide to splunk the credentials of the remote host.

I am not in a domain, i tried to config the server and client with same credentials, doesn't work.

0 Karma

simonmag
New Member

Is the Splunk server in the same Domain/Workgroup as the server you are trying to get the data from?

I had to install a second Splunk server in our environment to collect from servers in another domain.

I believe that the Splunkd service will try and connect to the server using the credentials specified during the install.

0 Karma

hassanadel
Explorer

I am not in a domain, i tried to config the server and client with same credentials, doesn't work.

0 Karma