From 75ca76b8d256e1148d3d878c8b5d18499308b583 Mon Sep 17 00:00:00 2001
From: admingit <pamphile.jocelyn@gmail.com>
Date: Tue, 24 Oct 2023 16:43:29 +0200
Subject: [PATCH] add_wmi

---
 .../Splunk_TA_windows_FW/default/wmi.conf     |  28 ++--
 .../local/wmi.conf                            | 154 ++++++++++++++++++
 2 files changed, 169 insertions(+), 13 deletions(-)
 create mode 100644 deployment-apps/Splunk_TA_windows_local_only/local/wmi.conf

diff --git a/deployment-apps/Splunk_TA_windows_FW/default/wmi.conf b/deployment-apps/Splunk_TA_windows_FW/default/wmi.conf
index 67ca1288..cd379a84 100644
--- a/deployment-apps/Splunk_TA_windows_FW/default/wmi.conf
+++ b/deployment-apps/Splunk_TA_windows_FW/default/wmi.conf
@@ -41,15 +41,15 @@ disabled = 1
 ## Run once per day
 interval = 86400
 wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
-
+index=wineventlog
 
 ## CPU
 ## Usually disabled in favor of Perfmon counters
 [WMI:CPUTime]
 interval = 3
 wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
-disabled = 1
-
+disabled = 0
+index=perfmon
 
 ## Disk
 
@@ -57,41 +57,43 @@ disabled = 1
 [WMI:FreeDiskSpace]
 interval = 120
 wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
-disabled = 1
+disabled = 0
+index=perfmon
 
 [WMI:LogicalDisk]
 interval = 120
 wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
-disabled = 1
+disabled = 0
+index=perfmon
 
 [WMI:LocalPhysicalDisk]
 interval = 10
 wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
-disabled = 1
-
+disabled = 0
+index=perfmon
 
 ## Memory
 ## Usually disabled in favor of Perfmon counters
 [WMI:Memory]
 interval = 5
 wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
-disabled = 1
-
+disabled = 0
+index=perfmon
 
 ## Network
 ## Usuall disabled in favor of Perfmon counters
 [WMI:LocalNetwork]
 interval = 10
 wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
-disabled = 1
-
+disabled = 0
+index=perfmon
 
 ## Processes
 [WMI:LocalProcesses]
 interval = 30
 wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
-disabled = 1
-
+disabled = 0
+index=windows
 
 ## Scheduled Jobs
 
diff --git a/deployment-apps/Splunk_TA_windows_local_only/local/wmi.conf b/deployment-apps/Splunk_TA_windows_local_only/local/wmi.conf
new file mode 100644
index 00000000..cd379a84
--- /dev/null
+++ b/deployment-apps/Splunk_TA_windows_local_only/local/wmi.conf
@@ -0,0 +1,154 @@
+##
+## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
+## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
+## DO NOT EDIT THIS FILE!
+## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
+## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
+## into ../local and edit there.
+##
+## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
+##
+
+[settings]
+initial_backoff = 5
+max_backoff = 20
+max_retries_at_max_backoff = 0
+checkpoint_sync_interval = 2
+
+## Pull event logs FROM the local system
+## Usually disabled in favor of using WinEventLog inputs
+[WMI:LocalApplication]
+interval = 10
+event_log_file = Application
+disabled = 1
+
+[WMI:LocalSystem]
+interval = 10
+event_log_file = System
+disabled = 1
+
+[WMI:LocalSecurity]
+interval = 10
+event_log_file = Security
+disabled = 1
+
+
+## Gather performance data FROM the local system
+
+## Computer System
+[WMI:ComputerSystem]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
+index=wineventlog
+
+## CPU
+## Usually disabled in favor of Perfmon counters
+[WMI:CPUTime]
+interval = 3
+wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
+disabled = 0
+index=perfmon
+
+## Disk
+
+## Usually disabled in favor of Perfmon counters
+[WMI:FreeDiskSpace]
+interval = 120
+wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
+disabled = 0
+index=perfmon
+
+[WMI:LogicalDisk]
+interval = 120
+wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
+disabled = 0
+index=perfmon
+
+[WMI:LocalPhysicalDisk]
+interval = 10
+wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
+disabled = 0
+index=perfmon
+
+## Memory
+## Usually disabled in favor of Perfmon counters
+[WMI:Memory]
+interval = 5
+wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
+disabled = 0
+index=perfmon
+
+## Network
+## Usuall disabled in favor of Perfmon counters
+[WMI:LocalNetwork]
+interval = 10
+wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
+disabled = 0
+index=perfmon
+
+## Processes
+[WMI:LocalProcesses]
+interval = 30
+wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
+disabled = 0
+index=windows
+
+## Scheduled Jobs
+
+## Use the Win32_ScheduledJob  class. Note that this class can only return jobs that are created using either a script or AT.exe.
+## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
+[WMI:ScheduledJobs]
+disabled = 1
+## Run twice per day
+interval = 43200
+wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
+
+## Services
+
+## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
+## Lists all services registered on the system,if they are running,and the status
+[WMI:Service]
+disabled = 1
+## Run once an hour
+interval = 3600
+wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
+
+
+## Update
+[WMI:InstalledUpdates]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
+
+
+## Uptime
+[WMI:Uptime]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
+
+
+## User Accounts
+[WMI:UserAccounts]
+disabled = 1
+## Run twice per day
+interval = 43200
+wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
+
+## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
+## disabled = 1
+## Run twice per day
+## interval = 43200
+## wql = SELECT * FROM Win32_AccountSID
+
+
+## Version
+[WMI:Version]
+disabled = 1
+## Run once per day
+interval = 86400
+wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem