Getting Data In

Splunk on Linux making WMI queries to Windows servers

maverick
Splunk Employee
Splunk Employee

I have Splunk running on a Linux server and I need to index WMI-based events, like perfmon data, from my Windows servers, but I am not allowed to install Splunk as a Forwarder on my Windows boxes.

Therefore, I was wondering if anyone has successfully used a WBEM type client on Linux to do this (i.e. similar to how Cacti does it, I think) or if anyone is aware of some other similar type workaround for Linux that would allow me to make the proper remote WMI calls to my Windows servers to get the perfmon info I need?

0 Karma

jeffwarn
Explorer

I was able to compile the wmic source code from zenoss on my indexing server and I can pull WMI data using something like:

wmic -U 'USER%PASS' //WINDOWS-SERVER "select * from win32_service"

Running that script will pull down a number of lines such looking like:

CLASS: Win32_Service AcceptPause|AcceptStop|Caption|CheckPoint|CreationClassName|Description|DesktopInteract|DisplayName|ErrorControl|ExitCode|InstallDate|Name|PathName|ProcessId|ServiceSpecificExitCode|ServiceType|Started|StartMode|StartName|State|Status|SystemCreationClassName|SystemName|TagId|WaitHint False|True|Operations Manager Audit Forwarding Service|0|Win32_Service|Sends events to a collector for storage in a SQL database.|False|Operations Manager Audit Forwarding Service|Normal|0|(null)|AdtAgent|C:\WINDOWS\system32\AdtAgent.exe|1304|0|Own Process|True|Auto|NT AUTHORITY\NetworkService|Running|OK|Win32_ComputerSystem|WINDOWS-SERVER|0|0

The only issue I have at this point is finding a way to actually make this information useful inside splunk. Right now it's just the big jumble that you see above (with more lines of logging). I tried installing the Windows App , but that did not seem to do anything useful to the data.

0 Karma

cervelli
Splunk Employee
Splunk Employee

Overall, it's far, far more trouble than it's worth. As dwaddle points out, you need either a native WMI mapper, or a wbem client on the local windows box. (how that isn't as or more invasive than our or another agent is unclear).

If for some reason you did go down the wbem mapper, there is also OpenPegasus. http://www.openpegasus.org/ At least then you could write a scripted input from the command line use wbemmapper.

Note that you still need a PAM or other form of cross-compatible authentication as well for your Linux box to communicate with the box. Note that later versions of Windows (2008, W7) will have to have their security severely degraded significantly.

dwaddle
SplunkTrust
SplunkTrust

Can you install just one Windows machine w/ a Splunk forwarder on it, and use it as a bridgehead to perform WMI queries against all of your other Windows machines? It may be a lot less work than trying to build something using a generic WBEM client on Linux.

0 Karma

dwaddle
SplunkTrust
SplunkTrust

One other option appears to be some code in ZenOSS. The ZenOSS folks have apparently taken some samba code and put together a working WMI client for *nix that does not need a wmimapper. You might have luck with that .. http://dev.zenoss.com/trac/log/trunk/wmi/

0 Karma

dwaddle
SplunkTrust
SplunkTrust

It looks like the cacti guys are depending on at least on Windows bridgehead node. WMI is WBEM, but in normal microsoft fashion, it's also not. The difference is the transport. "Normal" WBEM uses a vanilla TCP port, while WMI uses DCOM. It looks like there is a moderately popular WBEM/WMI proxy server called 'wmimapper' ( http://tinyurl.com/34c4mwh ) that bridges the TCP/DCOM gap for you. This is what cacti and some of HP's system management software uses. Of course, it needs to run on a Windows machine to be able to speak DCOM

0 Karma

maverick
Splunk Employee
Splunk Employee

Yes and I've done that. However, in this specific use case, I am NOT allowed to install Splunk on Windows. Therefore, just curious about any workarounds, even if temporary.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...