- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elasticsearch and Kibana
- 67. F5 BIG-IP
- 68. File Integrity Monitoring
- 69. FreeRADIUS
- 70. Google Chronicle
- 71. Graylog
- 72. HP ProCurve
- 73. IBM QRadar SIEM
- 74. Industrial Control Systems
- 75. Linux Audit System
- 76. Linux system logs
- 77. Log Event Extended Format (LEEF)
- 78. Logstash
- 79. McAfee Enterprise Security Manager (ESM)
- 80. McAfee ePolicy Orchestrator
- 81. Microsoft Active Directory Domain Controller
- 82. Microsoft Azure
- 83. Microsoft Azure Event Hubs
- 84. Microsoft Azure Sentinel
- 85. Microsoft Exchange
- 86. Microsoft IIS
- 87. Microsoft SharePoint
- 88. Microsoft SQL Server
- 89. Microsoft System Center Endpoint Protection
- 90. Microsoft System Center Configuration Manager
- 91. Microsoft System Center Operations Manager
- 92. MongoDB
- 93. Nagios Log Server
- 94. Nessus Vulnerability Scanner
- 95. NetApp
- 96. .NET application logs
- 97. Nginx
- 98. Okta
- 99. Oracle Database
- 100. Osquery
- 101. Postfix
- 102. Promise
- 103. Raijin Database Engine
- 104. Rapid7 InsightIDR SIEM
- 105. RSA NetWitness
- 106. SafeNet KeySecure
- 107. Salesforce
- 108. Snare
- 109. Snort
- 110. Solarwinds Loggly
- 111. Splunk
- 112. Sumo Logic
- 113. Symantec Endpoint Protection
- 114. Synology DiskStation
- 115. Syslog
- 116. Sysmon
- 117. Ubiquiti UniFi
- 118. VMware vCenter
- 119. Windows AppLocker
- 120. Windows Command Line Auditing
- 121. Windows Event Log
- 122. Windows Firewall
- 123. Windows Group Policy
- 124. Windows Management Instrumentation (WMI)
- 125. Windows PowerShell
- 126. Microsoft Windows Update
- 127. Windows USB auditing
- 128. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
124. Windows Management Instrumentation (WMI)
The Windows Management Instrumentation (WMI) system is an implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards. It provides an infrastructure for managing remote systems and providing management data. For more information about WMI, see Windows Management Instrumentation on Microsoft Docs.
WMI event logging uses Event Tracing for Windows (ETW). These logs can be collected via Windows Event Log or ETW. For Windows versions prior to Windows Vista and Windows Server 2008, it is also possible to read from WMI log files.
124.1. Reading WMI events from the Windows Event Log
WMI logs events to Microsoft-Windows-WMI-Activity/Operational in the Windows
Event Log, including these event IDs:
-
Event ID 5857: Operation_StartedOperational
-
Event ID 5858: Operation_ClientFailure
-
Event ID 5859: Operation_EssStarted
-
Event ID 5860: Operation_TemporaryEssStarted
-
Event ID 5861: Operation_ESStoConsumerBinding
The following configuration will collect and parse these events from
Microsoft-Windows-WMI-Activity/Operational using the
im_msvistalog module. The xm_xml module is used
to further parse the XML data in the $UserData field.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<Extension _xml>
Module xm_xml
</Extension>
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-WMI-Activity/Operational">*</Select>
</Query>
</QueryList>
</QueryXML>
Exec if $UserData parse_xml($UserData);
</Input>
{
"EventTime": "2019-02-24T21:19:36.603548+01:00",
"Hostname": "Host.DOMAIN.local",
"Keywords": "4611686018427387904",
"EventType": "ERROR",
"SeverityValue": 4,
"Severity": "ERROR",
"EventID": 5858,
"SourceName": "Microsoft-Windows-WMI-Activity",
"ProviderGuid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"Version": 0,
"TaskValue": 0,
"OpcodeValue": 0,
"RecordNumber": 7314,
"ActivityID": "{3459A8FD-CC70-0000-47C6-593470CCD401}",
"ExecutionProcessID": 1020,
"ExecutionThreadID": 8840,
"Channel": "Microsoft-Windows-WMI-Activity/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-5-18",
"AccountType": "User",
"Message": "Id = {3459A8FD-CC70-0000-47C6-593470CCD401}; ClientMachine = HOST; User = NT AUTHORITY\\SYSTEM; ClientProcessId = 3640; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'; ResultCode = 0x80041032; PossibleCause = Unknown",
"Opcode": "Info",
"UserData": "<Operation_ClientFailure xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'><Id>{3459A8FD-CC70-0000-47C6-593470CCD401}</Id><ClientMachine>HOST</ClientMachine><User>NT AUTHORITY\\SYSTEM</User><ClientProcessId>3640</ClientProcessId><Component>Unknown</Component><Operation>Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'</Operation><ResultCode>0x80041032</ResultCode><PossibleCause>Unknown</PossibleCause></Operation_ClientFailure>",
"EventReceivedTime": "2019-02-24T21:19:38.104568+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog",
"Operation_ClientFailure.Id": "{3459A8FD-CC70-0000-47C6-593470CCD401}",
"Operation_ClientFailure.ClientMachine": "HOST",
"Operation_ClientFailure.User": "NT AUTHORITY\\SYSTEM",
"Operation_ClientFailure.ClientProcessId": "3640",
"Operation_ClientFailure.Component": "Unknown",
"Operation_ClientFailure.Operation": "Start IWbemServices::ExecQuery - root\\cimv2 : Select * from Win32_Service Where Name = 'MpsSvc'",
"Operation_ClientFailure.ResultCode": "0x80041032",
"Operation_ClientFailure.PossibleCause": "Unknown"
}124.2. Reading WMI events via ETW
WMI events can also be collected via ETW directly. Note that WMI tracing is not enabled by default—see Tracing WMI Activity on Microsoft Docs.
The following configuration uses the im_etw module to collect ETW logs from the Microsoft-Windows-WMI-Activity provider.
1
2
3
4
<Input etw_in>
Module im_etw
Provider Microsoft-Windows-WMI-Activity
</Input>
{
"SourceName": "Microsoft-Windows-WMI-Activity",
"ProviderGuid": "{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}",
"EventID": 100,
"Version": 0,
"Channel": 18,
"OpcodeValue": 0,
"TaskValue": 0,
"Keywords": "2305843009213693952",
"EventTime": "2019-03-04T19:48:48.842576+01:00",
"ExecutionProcessID": 1500,
"ExecutionThreadID": 8104,
"ActivityID": "{AF4CFCDC-66C1-4A9A-B7D7-13ECD1AAE01A}",
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-5-18",
"AccountType": "User",
"ComponentName": "MI_Client",
"MessageDetail": "Operation Enumerate Instances: session=0000008F1C752638, operation=0000008F1D03DCF0, internal-operation=0000008F1D63ED90, namespace=root\\Microsoft\\Windows\\Storage\\SM, classname=MSFT_SMStorageVolume",
"FileName": "admin\\wmi\\wmiv2\\client\\api\\operation.c:2008",
"EventReceivedTime": "2019-03-04T19:48:49.888767+01:00",
"SourceModuleName": "etw_in",
"SourceModuleType": "im_etw"
}124.3. Reading from WMI log files
There are three WMI provider log files available on Windows versions prior to
Windows Vista and Windows Server 2008. These files are normally located in
%systemroot%\system32\wbem\logs. For more information, see
WMI Provider Log Files on Microsoft Docs.
These log files can be configured by modifying the Windows Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging value. Set it to 1
for error logging or 2 for verbose logging. For more details about configuring
the WMI log files, see
Logging WMI Activity.
This configuration collects and parses events from the three WMI log files.
1
2
3
4
5
6
7
8
9
10
11
<Input in>
Module im_file
File 'C:\WINDOWS\system32\wbem\Logs\wmiprov.log'
File 'C:\WINDOWS\system32\wbem\Logs\ntevt.log'
File 'C:\WINDOWS\system32\wbem\Logs\dsprovider.log'
<Exec>
file_name() =~ /(?<Filename>[^\\]+)$/;
if $raw_event =~ /^\((?<EventTime>.+)\.\d{7}\) : (?<Message>.+)$/
$EventTime = strptime($EventTime, "%a %b %d %H:%M:%S %Y");
</Exec>
</Input>
{
"EventReceivedTime": "2019-03-12T18:32:16.296875+01:00",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"Filename": "wmiprov.log",
"EventTime": "2019-03-12T18:32:16.000000+01:00",
"Message": "C:\\WINDOWS\\system32\\DRIVERS\\bthpan.sys[NdisMofResource]"
}