The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Lightweight forwarding disables WMI queries on Server 2008

Previous Topic: Shorthand way to include ALL Windows Event Logs  |   Next Topic: default user roles LDAP authentication


Posts 1–3 of 3
1
posted by: tnine  |  posts
date: November 1, 2009
permalink

Hi all,
I'm trying to new splunk 4 free with lightweight forwarders and I'm having some issues. I've configured my splunk server on CentOs, and a forwarder on a Windows 2008 Server. Everything works as expected until I enable lightweight forwarding on my windows machine. As soon as I do that, I stop receiving WMI inputs from windows machine. The plugin is not explicity disabled in my inputs.conf within the LightweightForwarder local config. Any idea why WMI stops sending data but I continue to receive logging data? Here are the steps to reproduce

1. Install latest disto (32bit) on Server 2008
2. Configure forwarding to server
3. Configure custom log and WMI inputs
4. Restart splunk and verify all data is being received on the server
5. Enable lightweight forwarding and restart
6. Still receive data from logs, but the WMI plugin appears to be disabled.

[Revised on Sun, 01 Nov 2009 14:42:19 -0800]

Edit:

Just to be clear, I've copied the wmi.conf file over from another server so I don't have to manually add the WMI queries. As I said earlier, I'm still getting inputs that a logs and directories, but no wmi, and only from this box. Do I need to explicity enable the windows app within the LightweightForwarder application?

2
posted by: gkanapathy  |  posts
date: November 2, 2009
permalink

That's weird, there's nothing in the SplunkLightForwarder that should have stopped wmi from working.

Were there any special parameters, sending items to non-default indexes, props, transforms, or other things you were using with WMI inputs?

The Windows app does need to be enabled, but it's independent of the SplunkLightForwarder. If you disable the SplunkLightForwarder app, I guess the WMI stuff starts coming in again?

I wonder if perhaps it's simply that the WMI data is not showing up in searches on the indexer. There is some processing that occurs on the non-Light Forwarder that (with a LWF) needs to occur on the indexer. Possibly the configuration for that is not included with the Linux indexer, and you may have to download and install the Windows app on your indexer to get it to work? (You might want to disable all the Windows inputs that come with the Windows app on the Linux indexer. They won't work, so they won't cause any harm, but still.)

3
posted by: pwhitford  |  posts
date: November 2, 2009
permalink

What happens if instead of selecting Enable Lightweight forwarding you select Configure forwarding to Hosts instead?

It sounds like you are getting through some forwarded data on your CentOS box that came from the Windows 2008 forwarder. I'm guessing that is just the local File stuff, and probably WinEventSecurity, etc. Just not any gathered WMI data.

If you can't get the WMI forwarding working with just Configure forwarding to Hosts enabled I'd open as a Case with Splunk support. I've already logged a support Case on a new WMI forwarding issue I'm having with 2008 R2 and 4.0.5.