Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

While setting up a Windows Eventlog collection input, why do I get an HTTP 500 - Access is denied error?

maverick
Splunk Employee
Splunk Employee
‎02-24-2010 03:07 PM

I want to gather and index the security eventtlogs on a remote Windows server.

While trying to add a new Windows Eventlog collection input within Splunk, I am getting the following error:

Failed to fetch data:[HTTP 500] Splunkd internal error;[{'text':"In handler 'win-wmi-enum-eventlogs': Error accessing MWI-0x7ff8fffb - Access is denied.. Make sure WMI is configured correctly.",'code':None, 'type': 'ERROR'}]

FYI, the user account that Splunk is running as also exists on the remote Windows machine and has full rights to administer both servers.

Reply
1 Solution
Solved! Jump to solution
Solution

cervelli
Splunk Employee
Splunk Employee
‎02-24-2010 10:10 PM

The error is, alas, precise - we have attempted, and been explicitly denied, access to the logs.

This can happen for the following reasons :

  • you're not in a domain (see below)
  • Splunkd service is running with Local System permissions
  • Splunkd is running as a domain account, but cannot do at least one of these:
    • log on as a service on the remote box
    • bypass the firewall on the remote box, specifically IPSEC challenges
    • use Remote Launch and Remote Activation DCOM rights
    • Profile System Performance and Access this Computer from the Network GPO rights
  • The RPC service is running, but DCOM and/or WMI services are not

Whew. That's a lot of reasons, and there can be even more edge cases. For testing, try a domain admin account for the splunkd service login to verify connectivity is possible, then go from there to improve security. See:

http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWMIdata or http://msdn.microsoft.com/en-us/library/aa394603%28VS.85%29.aspx

RE: Domains. If you are NOT in a domain, it is possible to have identically named accounts with exactly the same login name and password who are both Local Administrators on both machines work with WMI. The polling Splunkd needs to have this account as it's service login.

Note this will NOT work if either machine is actually in a domain; both must be stand alone.

View solution in original post

Reply
Solved! Jump to solution

jonm1010
New Member
‎07-26-2012 12:42 PM

Ok next question, does splunk need to be installed on each machine I want read the logs from?

0 Karma
Reply
Solved! Jump to solution
Solution

cervelli
Splunk Employee
Splunk Employee
‎02-24-2010 10:10 PM

The error is, alas, precise - we have attempted, and been explicitly denied, access to the logs.

This can happen for the following reasons :

  • you're not in a domain (see below)
  • Splunkd service is running with Local System permissions
  • Splunkd is running as a domain account, but cannot do at least one of these:
    • log on as a service on the remote box
    • bypass the firewall on the remote box, specifically IPSEC challenges
    • use Remote Launch and Remote Activation DCOM rights
    • Profile System Performance and Access this Computer from the Network GPO rights
  • The RPC service is running, but DCOM and/or WMI services are not

Whew. That's a lot of reasons, and there can be even more edge cases. For testing, try a domain admin account for the splunkd service login to verify connectivity is possible, then go from there to improve security. See:

http://docs.splunk.com/Documentation/Splunk/5.0/Data/MonitorWMIdata or http://msdn.microsoft.com/en-us/library/aa394603%28VS.85%29.aspx

RE: Domains. If you are NOT in a domain, it is possible to have identically named accounts with exactly the same login name and password who are both Local Administrators on both machines work with WMI. The polling Splunkd needs to have this account as it's service login.

Note this will NOT work if either machine is actually in a domain; both must be stand alone.

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...