I have a Windows 2008 running as a splunk server. I'm trying to collect window security logs via WMI. I have successfully done this on a different environment; however in this case my target windows machines are sitting behind a firewall and the Splunk server cannot reach them. What ports does Splunk need opened in order to collect Windows security logs via WMI from the Splunk server to those Windows machines? I understand that WMI uses RPC.My understanding is that the Splunk server and the target machine use 135/tcp to negotiate a port they will use to communicate via WMI. I'm afraid these ports are dynamic, although there is a way to tweak the registry to confine them to a certain range.
Does anyone have any input on how Splunk WMI works when targets are behind a firewall?
Thanks
This should help, these are the steps I used to do exactly what your having a problem with.
When adding the Windows Machine you will likely get an “RPC Server” error message. This is because the Windows Firewall is blocking the RPC input and output. What we want to do to make the splunk server talk to the box is:
Go to the remote machines firewall and add an exemption for TCP Port 135 (Inbound RPC)
While adding this port click the scope button and go to “custom”, add the Splunk server IP
Click ok and then add a port
This time add an exemption for port 5000, name it RPC Dynamic
While adding this port click the scope button and go to “custom”, add the Splunk server IP
Click ok and then exit Windows firewall
Next start regedit
NOTE: Make a backup of your registry!!!!
NOTE: The key "Internet" does not exist nor do any of these strings. You're creating them!
Ports REG_MULTI_SZ
PortsInternetAvailable REG_SZ Y or N (not case-sensitive)
UseInternetPorts REG_SZ ) Y or N (not case-sensitive
The end result will have the new key looking like:
Ports: REG_MULTI_SZ: 5000 PortsInternetAvailable: REG_SZ: Y UseInternetPorts: REG_SZ: Y
Finally, Following these changes to the registry the computer will require rebooting.
Going back to the Splunk web server where we left off on step two, clicking the “Find Logs” button should return with the ports for addition below in “Additional Logs”
The results of this is having increased security by only allowing these open ports to be connected to by your Splunk server and having only one open Dynamic RPC port instead of a range.
Rather than trying to poke holes in the firewall for WMI I would recommend to user splunk forwarders instead. Either place regular or lightweight forwarders on the target server(s), or grab a box inside of the firewall, turn it into a forwarder to your main indexer, and then have this forwarder box pull all the logs via WMI from the other servers. That way you just need to poke one hole for Splunk into your firewall, and you can encrypt that traffic to boot.
TCP/135 is the standard port for RPC. It also uses a randomly assigned port between 1024-65535(TCP) for Windows 2003 and older, and 49152 - 65535(TCP) for Windows 2008. As far as I know there is not a way to change this since it is a internal windows service.