Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

UFW: Collect WMI instance referenced in monitored WMI event

injvstice
New Member
‎09-16-2019 09:16 AM

I have what is probably a very newbie question:

I would like to monitor a WMI event with Splunk. This event returns the key of a class instance which has been modified.

So:
1. The event WMI\MyEvent fires and reports root\CIMV2\MyClass instance MyInstance1 has changed.
2. I need to send root\CIMV2\MyClass MyInstance1 to Splunk (the changed instance, not the event itself)

Can I handle this with the UFW? I didn't see an obvious way to accomplish this in wmi.conf.

If I can't, I could wrap the logic into a powershell script that does the proper joining and prints out to the stdout as a CSV line. Can I have the UFW monitor the stdout of a powershell script and report whenever a new line is output?

Anything else I should look at?

Thanks in advance!

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!