Getting Data In

Monitor Windows event log via WMI to splunk

splk_user
Path Finder

Hi,

Is it possible to monitor Windows event log via WMI to splunk instead of using Universal Forwarder?

if yes, how can i configure this communication.

 

Thanks.

Labels (2)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You can use WMI to pull EventLog from remote computer but you sitll have to install that windows splunk component which will be doing the pulling (UF or HF) somewhere.

There are several methods of collecting windows EventLogs.

The easiest and most straightforward way is to install UF on a monitored server and pull events directly from local eventlog. But it might create issues of scalability and windows admins might not be thrilled if you want to install third-party tools on domain controllers or other important servers.

Another relatively well working idea is to use Windows Event Forwarding (easy to set up in a domain environment, can be also confuigured in domainless setup but then it gets complicated but still possible) and pull windows from a central eventlog collector. I use it quite a lot. Be aware of possible performance issues as you scale horizontally too far.

WMI can be used to pull from remote computers but that's generally a last resort solution. Performance is not very good, you _must_ run the UF with domain account (which implies that it can only be used in domain environment) and there are often issues with permissions/privileges so it might be tricky to set up unless you have a very good windows admin team.

The solution which can be used but honestly speaking should never even be considered is using a third party forwarder (typically a syslog one like kiwi, solarwinds or nxlog). This way you might relatively easily get your logs and syslog is easy to receive but the events you get this way will be horribly mangled and not suitable for typical slplunk-side processing (meaning they will not be understandable by TA-windows).

View solution in original post

0 Karma

splk_user
Path Finder

Thank you @PickleRick 

0 Karma

splk_user
Path Finder

Thank you @gcusello 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splk_user ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can use WMI to pull EventLog from remote computer but you sitll have to install that windows splunk component which will be doing the pulling (UF or HF) somewhere.

There are several methods of collecting windows EventLogs.

The easiest and most straightforward way is to install UF on a monitored server and pull events directly from local eventlog. But it might create issues of scalability and windows admins might not be thrilled if you want to install third-party tools on domain controllers or other important servers.

Another relatively well working idea is to use Windows Event Forwarding (easy to set up in a domain environment, can be also confuigured in domainless setup but then it gets complicated but still possible) and pull windows from a central eventlog collector. I use it quite a lot. Be aware of possible performance issues as you scale horizontally too far.

WMI can be used to pull from remote computers but that's generally a last resort solution. Performance is not very good, you _must_ run the UF with domain account (which implies that it can only be used in domain environment) and there are often issues with permissions/privileges so it might be tricky to set up unless you have a very good windows admin team.

The solution which can be used but honestly speaking should never even be considered is using a third party forwarder (typically a syslog one like kiwi, solarwinds or nxlog). This way you might relatively easily get your logs and syslog is easy to receive but the events you get this way will be horribly mangled and not suitable for typical slplunk-side processing (meaning they will not be understandable by TA-windows).

0 Karma

asharma
Loves-to-Learn

Hi @PickleRick @gcusello 

 

I was reading this reply and I am currently in need to set up this from your post.

==============

Another relatively well working idea is to use Windows Event Forwarding (easy to set up in a domain environment, can be also confuigured in domainless setup but then it gets complicated but still possible) and pull windows from a central eventlog collector. I use it quite a lot. Be aware of possible performance issues as you scale horizontally too far.

===========

Do you have any  guide/link which tells this step by step; how to setup WEF on two servers.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splk_user,

yes it's possible even if I try to avoid to use WMI because you must use a domain user to acces the remote systems.

In addition a Universal Forwarder gives you many additional feature like local caching, packets compression, bandwidth optimization, etc...

Anyway, here you can find the procedure to configure a WMI input: https://docs.splunk.com/Documentation/Splunk/9.0.5/Data/MonitorWMIdata

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...