Even though using a universal forwarder to monitor remote Windows data is easier and recommended, here still provide with the following introduction to let you know how to install, configure Splunk, and retrieve remote Windows Server's data, such as CPUTime, Memory, LocalNetwork and so on over WMI:
Suppose there are Server A as Splunk Center (Window2k3Server), and Server B as a Client (Window2k3Server) within the same network.
Download and install Splunk instance on Server A:
a. Install as Local System User
b. After installation is complete, check the 8000 and 8089 is in Listening state
c. In the browser (e.g. IE, FF), open Splunk Center (Server A)'s splunk web (i.e. http://Server_A_hostname:8000)
d. Enter the user name: Admin, Password: changeme in Splunk login interface
e. Go to App -> Search, make sure the search is working (e,g, can try search index=_internal)
Configure Server A and remote Server B for retrieving its data over WMI:
a. Add a new user on Server A User. This example uses SplunkAdmin, and configure as Administrators permission. Set the password for this user. Strongly recommend to require an AD administrators account for Server A and Server B, which are in the same domain.
b. In the Server B. add the same user as Server A (i.e. both Server A and B have the same username and password). This example uses SplunkAdmin, who has not only Administrators permission, but also Performance Log Users and Performance Monitor Users too.
c. Setup WMI on Server B:
Computer Management-> Services and Applications-> WMI Control-> Properties-> Security.
Click Root-> Security-> Add User SplunkAdmin and enable Account and Remote Enable permission.
Advanced-> Click SplunkAdmin-> Edit-> Set This namespace and subnamespaces.
d. Add the DCOM permissions:
Control Panel->Administrative Tools-> Local Security Policy-> Local Policies-> Security Options-> DCOM: Machine Launch Restriction => Properties-> Edit Security => Add User SplunkAdmin-> select the Remote Launch and Remote Activation.
Setting splunkd service user permission on Server A:
a. In the "Start" -> "Run" execute services.msc, find splunkd service, and right click Properties.
b. In the "Log On", change "Local System Account" to "This Account", and enter the SplunkAdmin username and password.
c. Restart splunkd service
Configure WMI-based inputs for Server A Splunk Center
a. In the browser (e.g.IE, FF), open Splunk Center (Server A)'s splunk web (i.e. http://Server_A_hostname:8000)
b. Splunk-> Manager -> Data inputs -> Remote event log collections
c. Click "New" to add a new WMI remote collection
d. Add Server B's hostname or IP address and then select the type you want to collect data, such as CPUTime, Memory, etc.
e. Go to Search app summary dashboard, you will see remote Server B's event log data over WMI.
Not sure if different Windows versions also work following the instructions above. You may try Server A as Splunk Center (Window2k8Server); Server B as a Client (Window2k3Server), and vice versa.
... View more