I need to set up WMI polling on my Windows boxes that cannot run agents or belong to a domain.
With Splunk, is it possible to use local accounts for WMI polling provided that the permissions are set correctly?
If the machines are not in a domain, then you can query them from another stand-alone Windows server if the user name (i.e. the name Splunk is installed as on the collector) also exists as a local administrator on the target machine(s).
e.g. install splunk as myhost\foo, where $everyremotehost also has an account ‘foo’ with sufficient (probably local administrator) permissions.
Note: you will probably want to wrap that in a VPN or native IPSec, as without a domain, Windows reverts to NTLMv2, which I believe is crackable.
thanks and corrected!
Your backslash was lost in myhost\foo