Getting Data In

How to forward WMI:WinEventLog:Security data from a Windows universal forwarder to a Linux search head?

RecoMark0
Path Finder

Hello,

I am trying to set up WMI on a universal forwarder, however, I am only getting WMI:CPUTime. The WMI:WinEventLog:Security is not working though. I tried following http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/MonitorWMIdata but that is for all Windows servers, and not Linux.

My setup
Search head and main UI on Linux
2 distributed indexers also on Linux
Servers to monitor are on Windows

My wmi.conf file is on a Windows server that has universal forwarder installed. (All other logs being sent from this server are coming in)

[WMI:CPUTime]
interval = 10
disabled = 0
server = localhost
wql = SELECT PercentProcessorTime, PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name = "_Total"

[WMI:WinEventLog:Security]
interval = 10
disabled = 0
server = localhost
event_log_file = Security

Do I need to set something else up for security to work? What can I check to verify the event_log_file is being created? Is there a way I can use the wql parameter with security instead, since that works for the CPUTime?

Thank you

0 Karma
1 Solution

grijhwani
Motivator

wmi.conf only one facet of the config. Where are you forwarding to the data to? Are you segregating data type by index? Do the indexes exist? Does the user doing the searching have access rights to all the necessary indexes?

View solution in original post

grijhwani
Motivator

wmi.conf only one facet of the config. Where are you forwarding to the data to? Are you segregating data type by index? Do the indexes exist? Does the user doing the searching have access rights to all the necessary indexes?

RecoMark0
Path Finder

The issue was solved when the service user for splunk had it's permissions updated

0 Karma

RecoMark0
Path Finder

hello, thank you for your response, here are my answers to your questions.
I am forwarding the data from the server to 2 distrubuted indexers that are both linux machines. The only logs not going through are the WMI security. Other logs being monitored, as well as the WMI CPUTime are getting through
I do have multiple indexes, but only non WMI log files are being split to different indexes, the WMI comes in on main index
Yes the indexes exist
I am using my account which has full access to all indexes

0 Karma

grijhwani
Motivator

Another question occurs to me, but not being Windows-centric I have no idea of the likely answer or how to find it: are there Windows access restrictions in force preventing the forwarder from obtaining the WMI security records?

Clearly if you are seeing other Splunk entries from the machine in question, there is no network fault in play.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...