Getting Data In

WMI firewall ports

goat
Explorer

I have a Windows 2008 running as a splunk server. I'm trying to collect window security logs via WMI. I have successfully done this on a different environment; however in this case my target windows machines are sitting behind a firewall and the Splunk server cannot reach them. What ports does Splunk need opened in order to collect Windows security logs via WMI from the Splunk server to those Windows machines? I understand that WMI uses RPC.My understanding is that the Splunk server and the target machine use 135/tcp to negotiate a port they will use to communicate via WMI. I'm afraid these ports are dynamic, although there is a way to tweak the registry to confine them to a certain range.

Does anyone have any input on how Splunk WMI works when targets are behind a firewall?

Thanks

Tags (2)

ritterj1
Engager

This should help, these are the steps I used to do exactly what your having a problem with.

When adding the Windows Machine you will likely get an “RPC Server” error message. This is because the Windows Firewall is blocking the RPC input and output. What we want to do to make the splunk server talk to the box is:

  1. Go to the remote machines firewall and add an exemption for TCP Port 135 (Inbound RPC)

  2. While adding this port click the scope button and go to “custom”, add the Splunk server IP

  3. Click ok and then add a port

  4. This time add an exemption for port 5000, name it RPC Dynamic

  5. While adding this port click the scope button and go to “custom”, add the Splunk server IP

  6. Click ok and then exit Windows firewall

  7. Next start regedit

NOTE: Make a backup of your registry!!!!

  1. With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Key Data Type.

NOTE: The key "Internet" does not exist nor do any of these strings. You're creating them!

  1. Ports REG_MULTI_SZ

    1. Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by 5000.
  2. PortsInternetAvailable REG_SZ Y or N (not case-sensitive)

    1. If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.
  3. UseInternetPorts REG_SZ ) Y or N (not case-sensitive

    1. Specifies the system default policy. If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. If N, the processes using the default will be assigned ports from the set of intranet-only ports.
  4. The end result will have the new key looking like:

    Ports: REG_MULTI_SZ: 5000 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y

  5. Finally, Following these changes to the registry the computer will require rebooting.

Going back to the Splunk web server where we left off on step two, clicking the “Find Logs” button should return with the ports for addition below in “Additional Logs”

The results of this is having increased security by only allowing these open ports to be connected to by your Splunk server and having only one open Dynamic RPC port instead of a range.

ftk
Motivator

Rather than trying to poke holes in the firewall for WMI I would recommend to user splunk forwarders instead. Either place regular or lightweight forwarders on the target server(s), or grab a box inside of the firewall, turn it into a forwarder to your main indexer, and then have this forwarder box pull all the logs via WMI from the other servers. That way you just need to poke one hole for Splunk into your firewall, and you can encrypt that traffic to boot.

justinhart
Path Finder

TCP/135 is the standard port for RPC. It also uses a randomly assigned port between 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008. As far as I know there is not a way to change this since it is a internal windows service.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...