Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why during Remote Log Collection, am I getting "Unable to get wmi classes from host 'xxxx'?

Srini1207
Engager
‎02-01-2023 07:05 AM

Hi everyone,

I'm a newbie to Splunk. I installed Splunk Enterprise in a Server which is connected to AD. Other machine, I have installed the Universal Forwarder. I have a admin account for AD and with that I have installed the forwarder in other machine. I want to monitor all other logs from that machine. If try to collect the logs, it says that "Unable to get wmi classes from host 'xxxxx'. This host may not be reachable or WMI may be misconfigured". 

I have followed the steps under Configure Active Directory for running Splunk software as a domain user in this page - Prepare your Windows network to run Splunk Enterprise as a network or domain user page.

Is that something am I missing?, Also, I'm not sure on how to collect the remote logs.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-06-2023 02:37 AM

Ugh. Don't use WMI if only you can avoid it. It's the "one before worst" method of collecting windows logs (the worst being using a third party logging solution like NXLog, Kiwi or whatever of the sort).

Use wineventlog on the UF directly or use WEF if you must.

You can define any Event Log you want to digest with wineventlog type of input, not just those three "main" Event Logs.

0 Karma
Reply

shivanshu1593
Builder
‎02-01-2023 09:51 AM

Hello,

WMI is an old school method to onboard logs. Since you have UF on the remote machine, you can basically ask it monitor anything and send it to your Splunk enterprise server. Here's how to do it in simple steps (This assumes that you have no special certificates for Splunk created and placed for additional security. It uses default Splunk certs that are shipped with it):

  1. Log in to Splunk enterprise and go to settings -> indexes and create an index named wineventlog, as I have used the same name in all configs below. If you want to name it something else, please edit all configs below using the same name.
  2. Go to the remote server where UF is installed and go its installation directory, then go to etc -> system -> local (Example: C:\Program Files\SplunkUniversalForwarder\etc\system\local).
  3. Create a new file called inputs.conf or edit if it already exists.
  4. Let's say that you want to monitor windows application, security and system logs. Copy paste the following configuration in the inputs.conf and save it.

 

[WinEventLog://Security]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:Security
evt_resolve_ad_obj = 1
checkpointInterval = 5
#blacklist = unhash and add eventcodes here if you do not want ingest some.Ex: 5156. here's how it will look blacklist = EventCode=5156|addmore|

[WinEventLog://System]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:System
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog://Application]
disabled = 0
index = wineventlog
sourcetype = WinEventLog:Application
evt_resolve_ad_obj = 1
checkpointInterval = 5​

 

  • Now create another file in the same folder named outputs.conf or edit if it already exists and add the following entries in it. Ensure that this remote server is allowed to connect to your remote server over the port 9997 with protocol TCP,  if not then place the firewall rules accordingly.

 

[tcpout:Indexer]
server = name_of_your_server_or_ip:9997​

 

  • Restart Splunk service on the remote server and enjoy the data.

Let us know if it works for you.

++If it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

Srini1207
Engager
‎02-06-2023 01:18 AM

Thanks for your reply, but can I able to collect the logs like PowerShell execution, internet explorer, chrome, and file monitoring activities? I think we can't be able to do it and that's why we are using WMI. 

If we can be able to collect those logs, what are the steps involved in it? If not, in which/what situation do we need to use UF and WMI?

Thanks

0 Karma
Reply

shivanshu1593
Builder
‎02-06-2023 02:48 AM

Yes you can monitor everything using Splunk UF. I just quoted the security, system and application logs as an example. Powershell stanza is mentioned below, not sure why you want to monitor IE and Chrome history when you can get the same from web proxy logs, but if you still want to, you'll need to export the SQLite database, which basically contains browser history and export it in a file using simple PS and then ingest that file. And file monitoring can also be easily done using [monitor://] stanza via inputs.conf. If you want to monitor their modification time, then it would require a scripted input, again which can be deployed and run via an UF.

 

#Monitor PowerShell Windows Event Logs
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
renderXml = 1
index = yourindex
sourcetype = WinEventLog:Powershell

 

Access browser history using Powershell: https://social.technet.microsoft.com/wiki/contents/articles/30562.powershell-accessing-sqlite-databa...

Monitor files and directories: https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitorfilesanddirectories#:~:text=Splunk%2....

Scripted inputs: https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

++If this helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...