Splunk Enterprise

Why during Remote Log Collection, am I getting "Unable to get wmi classes from host 'xxxx'?

Srini1207
Engager

Hi everyone,

I'm a newbie to Splunk. I installed Splunk Enterprise in a Server which is connected to AD. Other machine, I have installed the Universal Forwarder. I have a admin account for AD and with that I have installed the forwarder in other machine. I want to monitor all other logs from that machine. If try to collect the logs, it says that "Unable to get wmi classes from host 'xxxxx'. This host may not be reachable or WMI may be misconfigured". 

I have followed the steps under Configure Active Directory for running Splunk software as a domain user in this page - Prepare your Windows network to run Splunk Enterprise as a network or domain user page.

Is that something am I missing?, Also, I'm not sure on how to collect the remote logs.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ugh. Don't use WMI if only you can avoid it. It's the "one before worst" method of collecting windows logs (the worst being using a third party logging solution like NXLog, Kiwi or whatever of the sort).

Use wineventlog on the UF directly or use WEF if you must.

You can define any Event Log you want to digest with wineventlog type of input, not just those three "main" Event Logs.

0 Karma

shivanshu1593
Builder

Hello,

WMI is an old school method to onboard logs. Since you have UF on the remote machine, you can basically ask it monitor anything and send it to your Splunk enterprise server. Here's how to do it in simple steps (This assumes that you have no special certificates for Splunk created and placed for additional security. It uses default Splunk certs that are shipped with it):

  1. Log in to Splunk enterprise and go to settings -> indexes and create an index named wineventlog, as I have used the same name in all configs below. If you want to name it something else, please edit all configs below using the same name.
  2. Go to the remote server where UF is installed and go its installation directory, then go to etc -> system -> local (Example: C:\Program Files\SplunkUniversalForwarder\etc\system\local).
  3. Create a new file called inputs.conf or edit if it already exists.
  4. Let's say that you want to monitor windows application, security and system logs. Copy paste the following configuration in the inputs.conf and save it.

 

[WinEventLog://Security]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5
#blacklist = unhash and add eventcodes here if you do not want ingest some.Ex: 5156. here's how it will look blacklist = EventCode=5156|addmore|

[WinEventLog://System]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:System
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog://Application]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:Application
evt_resolve_ad_obj = 1
checkpointInterval = 5​

 

  • Now create another file in the same folder named outputs.conf or edit if it already exists and add the following entries in it. Ensure that this remote server is allowed to connect to your remote server over the port 9997 with protocol TCP,  if not then place the firewall rules accordingly.

 

[tcpout:Indexer]
server = name_of_your_server_or_ip:9997​

 

  • Restart Splunk service on the remote server and enjoy the data.

Let us know if it works for you.

++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

Srini1207
Engager

Thanks for your reply, but can I able to collect the logs like PowerShell execution, internet explorer, chrome, and file monitoring activities? I think we can't be able to do it and that's why we are using WMI. 

If we can be able to collect those logs, what are the steps involved in it? If not, in which/what situation do we need to use UF and WMI?

Thanks

0 Karma

shivanshu1593
Builder

Yes you can monitor everything using Splunk UF. I just quoted the security, system and application logs as an example. Powershell stanza is mentioned below, not sure why you want to monitor IE and Chrome history when you can get the same from web proxy logs, but if you still want to, you'll need to export the SQLite database, which basically contains browser history and export it in a file using simple PS and then ingest that file. And file monitoring can also be easily done using [monitor://] stanza via inputs.conf. If you want to monitor their modification time, then it would require a scripted input, again which can be deployed and run via an UF.

 

#Monitor PowerShell Windows Event Logs
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
renderXml = 1
index = yourindex
sourcetype = WinEventLog:Powershell

 

Access browser history using Powershell: https://social.technet.microsoft.com/wiki/contents/articles/30562.powershell-accessing-sqlite-databa...

Monitor files and directories: https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories#:~:text=Splunk%2....

Scripted inputs: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

++If this helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...