We have noticed that Splunk Universal Forwarder (version does not appear to matter, 6.2.x or 6.3.x) on Windows 2012 seems to cause an excessive number of starts and stops of the WMI service (indicated by event logs for event ID 7036 and WMI). We have found this behavior does not exist on previous version of Windows. The WMI service is set to "manual". A search of the web suggested changing the WMI service startup type from "manual" to "automatic", which we did try but does not seem to make a difference. This latter did not seem logical to me even though I gave it a try because the service is starting and stopping indicating to me a start and stop command is being issued every time and if so would continue to be issued regardless of startup type.
I have been unable to determine if any Splunk scripts are issuing a start and stop to the WMI service every time it is called and if so why am I only seeing the indicators of such in 2012? This starting and stopping, while quick, seems to be putting an unnecessary burden on resources (which is how we discovered this issue).
Has anyone run into this? Fix?
↧