- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Is it possible to monitor a Windows event log via ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to monitor a Windows Event log such as Microsoft-Windows-WLAN-AutoConfig/Operational. I was able to get it working via the Universal Forwarder. Is it possible to do it via WMI from the Splunk server? Here's an example of my C:\Program Files\Splunk\etc\apps\search\local\wmi.conf
[WMI:WLAN Test]
disabled = 0
event_log_file = Microsoft-Windows-WLAN-AutoConfig/Operational
index = wineventlog
interval = 5
server = MY-COMPUTER
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can configure remote WMI on your Splunk indexer (if your indexer is running Windows) - but usually it is not a good idea.
WMI is okay for pulling occasional data from a few remote hosts. It will not scale to collecting data from many servers frequently, because it was not designed to do that. This has nothing to do with Splunk. Rather, it is because WMI was originally built as a tool for providing remote management and status queries, not for intensive monitoring of remote servers. (See this MS Technet note.) No matter where you configure remote WMI - on the forwarder or on the indexer - it is good to be aware of this.
Any Splunk instance that does remote WMI will need sufficient domain privileges to access the event logs of the target hosts. Normally, Splunk forwarders and indexers do not need domain-level accounts to run, so using remote WMI increases security concerns. How much power do you want to give to a Splunk instance to reach servers across your domain?
Finally, your Splunk indexers already have two important workloads: indexing and searching. Adding remote WMI to one of the indexers is probably not a good idea. While it might work in the short time, it will become problematic or even impossible as the number of indexers grows. For example, if you use indexer clustering, all indexers in the cluster must be configured exactly the same - so you can't have one that is collecting the remote WMI data. Second example: with multiple indexers, user searches are not complete until all the indexers have reported their search results - so users will see slower searches if "that indexer" is slower than the others.
Splunk best practice is to install a UF on any Windows machine that you want to monitor; then the UF can collect the event logs (and any other logs, status, etc.) locally and forward them. This is a more secure and scalable solution, as Splunk will not require domain privileges.
But if it makes sense in your case, configure remote WMI in the same way, on either the indexer or the forwarder. Just put the inputs.conf file on the indexer instead of the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you can configure remote WMI on your Splunk indexer (if your indexer is running Windows) - but usually it is not a good idea.
WMI is okay for pulling occasional data from a few remote hosts. It will not scale to collecting data from many servers frequently, because it was not designed to do that. This has nothing to do with Splunk. Rather, it is because WMI was originally built as a tool for providing remote management and status queries, not for intensive monitoring of remote servers. (See this MS Technet note.) No matter where you configure remote WMI - on the forwarder or on the indexer - it is good to be aware of this.
Any Splunk instance that does remote WMI will need sufficient domain privileges to access the event logs of the target hosts. Normally, Splunk forwarders and indexers do not need domain-level accounts to run, so using remote WMI increases security concerns. How much power do you want to give to a Splunk instance to reach servers across your domain?
Finally, your Splunk indexers already have two important workloads: indexing and searching. Adding remote WMI to one of the indexers is probably not a good idea. While it might work in the short time, it will become problematic or even impossible as the number of indexers grows. For example, if you use indexer clustering, all indexers in the cluster must be configured exactly the same - so you can't have one that is collecting the remote WMI data. Second example: with multiple indexers, user searches are not complete until all the indexers have reported their search results - so users will see slower searches if "that indexer" is slower than the others.
Splunk best practice is to install a UF on any Windows machine that you want to monitor; then the UF can collect the event logs (and any other logs, status, etc.) locally and forward them. This is a more secure and scalable solution, as Splunk will not require domain privileges.
But if it makes sense in your case, configure remote WMI in the same way, on either the indexer or the forwarder. Just put the inputs.conf file on the indexer instead of the forwarder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, I've been on the path to switching to UF. It's just been easier to use WMI for the time being. I don't know why, until this morning, but I checked if WMI was capable. It cannot search these new event viewer logs. PowerShell is, however.
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
