Currently, I'm using WMI to pull WinEvents from 17 Windows running on VMs. They are each the exact same and were built off the exact same VM template.
However, I am receiving an Application error WinEvent in my Splunk for 2 out of the 17 hosts that says DCOM is unable to communicate using the configured protocol, it looks like this:
Message=DCOM was unable to communicate with the computer <foo.bar.com> using any of the configured protocols.
Anyone ever see this before and/or know why this could be happening, especially since all the VMs are the same?
BTW, I know about using a Splunk Forwarder instead of WMI, but I just want to know if anyone can confirm this as a bug or some kind of Microsoft limitation or issue, or just a config issue maybe, etc.
I'm not sure I see this as an issue related to Splunk. The message appears to only impact some DCOM communication problem between two Windows hosts. I am not aware that Splunk leverages the DCOM service when collecting WMI inputs. Is there any misbehavior actually observed in Splunk?
Since Maverick posted this question on my behalf, there is no misbehavior actually observed in Splunk. I have added about 15 servers (all Windows 2008 R2, all built from the same VMWARE Server Template) but the Splunk Server (also built from this template) is only throwing this for 2 of the servers, which just of course happen to be my application servers. I am kind of at a loss for why there is a communication problem only between these 2 servers and the Splunk server.