Splunk Enterprise

Is it possible to monitor a Windows event log via WMI from the Splunk server?

tmontney
Builder

I want to monitor a Windows Event log such as Microsoft-Windows-WLAN-AutoConfig/Operational. I was able to get it working via the Universal Forwarder. Is it possible to do it via WMI from the Splunk server? Here's an example of my C:\Program Files\Splunk\etc\apps\search\local\wmi.conf

[WMI:WLAN Test]
disabled = 0
event_log_file = Microsoft-Windows-WLAN-AutoConfig/Operational
index = wineventlog
interval = 5
server = MY-COMPUTER
0 Karma
1 Solution

lguinn2
Legend

Yes, you can configure remote WMI on your Splunk indexer (if your indexer is running Windows) - but usually it is not a good idea.

WMI is okay for pulling occasional data from a few remote hosts. It will not scale to collecting data from many servers frequently, because it was not designed to do that. This has nothing to do with Splunk. Rather, it is because WMI was originally built as a tool for providing remote management and status queries, not for intensive monitoring of remote servers. (See this MS Technet note.) No matter where you configure remote WMI - on the forwarder or on the indexer - it is good to be aware of this.

Any Splunk instance that does remote WMI will need sufficient domain privileges to access the event logs of the target hosts. Normally, Splunk forwarders and indexers do not need domain-level accounts to run, so using remote WMI increases security concerns. How much power do you want to give to a Splunk instance to reach servers across your domain?

Finally, your Splunk indexers already have two important workloads: indexing and searching. Adding remote WMI to one of the indexers is probably not a good idea. While it might work in the short time, it will become problematic or even impossible as the number of indexers grows. For example, if you use indexer clustering, all indexers in the cluster must be configured exactly the same - so you can't have one that is collecting the remote WMI data. Second example: with multiple indexers, user searches are not complete until all the indexers have reported their search results - so users will see slower searches if "that indexer" is slower than the others.

Splunk best practice is to install a UF on any Windows machine that you want to monitor; then the UF can collect the event logs (and any other logs, status, etc.) locally and forward them. This is a more secure and scalable solution, as Splunk will not require domain privileges.

But if it makes sense in your case, configure remote WMI in the same way, on either the indexer or the forwarder. Just put the inputs.conf file on the indexer instead of the forwarder.

View solution in original post

lguinn2
Legend

Yes, you can configure remote WMI on your Splunk indexer (if your indexer is running Windows) - but usually it is not a good idea.

WMI is okay for pulling occasional data from a few remote hosts. It will not scale to collecting data from many servers frequently, because it was not designed to do that. This has nothing to do with Splunk. Rather, it is because WMI was originally built as a tool for providing remote management and status queries, not for intensive monitoring of remote servers. (See this MS Technet note.) No matter where you configure remote WMI - on the forwarder or on the indexer - it is good to be aware of this.

Any Splunk instance that does remote WMI will need sufficient domain privileges to access the event logs of the target hosts. Normally, Splunk forwarders and indexers do not need domain-level accounts to run, so using remote WMI increases security concerns. How much power do you want to give to a Splunk instance to reach servers across your domain?

Finally, your Splunk indexers already have two important workloads: indexing and searching. Adding remote WMI to one of the indexers is probably not a good idea. While it might work in the short time, it will become problematic or even impossible as the number of indexers grows. For example, if you use indexer clustering, all indexers in the cluster must be configured exactly the same - so you can't have one that is collecting the remote WMI data. Second example: with multiple indexers, user searches are not complete until all the indexers have reported their search results - so users will see slower searches if "that indexer" is slower than the others.

Splunk best practice is to install a UF on any Windows machine that you want to monitor; then the UF can collect the event logs (and any other logs, status, etc.) locally and forward them. This is a more secure and scalable solution, as Splunk will not require domain privileges.

But if it makes sense in your case, configure remote WMI in the same way, on either the indexer or the forwarder. Just put the inputs.conf file on the indexer instead of the forwarder.

tmontney
Builder

Right, I've been on the path to switching to UF. It's just been easier to use WMI for the time being. I don't know why, until this morning, but I checked if WMI was capable. It cannot search these new event viewer logs. PowerShell is, however.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...