I have what is probably a very newbie question:
I would like to monitor a WMI event with Splunk. This event returns the key of a class instance which has been modified.
So:
1. The event WMI\MyEvent fires and reports root\CIMV2\MyClass instance MyInstance1 has changed.
2. I need to send root\CIMV2\MyClass MyInstance1 to Splunk (the changed instance, not the event itself)
Can I handle this with the UFW? I didn't see an obvious way to accomplish this in wmi.conf.
If I can't, I could wrap the logic into a powershell script that does the proper joining and prints out to the stdout as a CSV line. Can I have the UFW monitor the stdout of a powershell script and report whenever a new line is output?
Anything else I should look at?
Thanks in advance!
↧