OS: CentOS 7
Component: Search Head, Indexer
Product: Splunk Enterprise
Version: 7.2.1
OS: Windows server2003, 2008 R2, 2012 R2
Component: Forwarder
Product: Splunk Universal Forwarder
Version: 6.3.13, 7.2.0
My customer has asked me to monitoring USB Storage changes on windows server 2003, 2008 R2 and 2012 R2, so I referenced the doc of wmi.conf in Admin Manual just like follow:
[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1
I used the same wmi.conf
and that went well on server 2003 and 2012 R2, BUT THAT'S NO USE ON 2008 R2 even I had add line use_old_eventlog_api = true
in the [WMI:USBChanges]
stanza. So I tried to get info from registry and failed too. Is that no an efficacious way on that OS?
Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.
At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...
Thanks to @iunderwood !
In my experience the best place to monitor for devices being connected/disconnected is the windows registry. There’s more details there than the WMI can provide.
I would caution against WMI. Running this query every second is a terrible practice.
I will seriously consider this good suggestion, thanks for your reply 😜
Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.
At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...
Thanks to @iunderwood !
hello there,
would try and avoid WMI.
quick search in the www brings many results.
here are couple that i think would help:
https://social.technet.microsoft.com/Forums/en-US/3eba3ae4-1d93-4181-888b-6980885f6537/event-id-when...
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj...
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6416
Hi, thanks a lot for ur reply!
I had checked the following link and I found that the 1st and the 3rd links are using for 2012 and later, and the 2nd link is returns me the error 404.
But I want to say thanks to u for ur help.