Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

UFW: Collect WMI instance referenced in monitored WMI event

injvstice
New Member
โ€Ž09-16-2019 09:16 AM

I have what is probably a very newbie question:

I would like to monitor a WMI event with Splunk. This event returns the key of a class instance which has been modified.

So:
1. The event WMI\MyEvent fires and reports root\CIMV2\MyClass instance MyInstance1 has changed.
2. I need to send root\CIMV2\MyClass MyInstance1 to Splunk (the changed instance, not the event itself)

Can I handle this with the UFW? I didn't see an obvious way to accomplish this in wmi.conf.

If I can't, I could wrap the logic into a powershell script that does the proper joining and prints out to the stdout as a CSV line. Can I have the UFW monitor the stdout of a powershell script and report whenever a new line is output?

Anything else I should look at?

Thanks in advance!

0 Karma
Reply