Skip to main content
Sumo Logic

Preconfigure a Machine to Collect Remote Windows Performance Monitoring Logs

Use the instructions in this topic to preconfigure a machine to work with the Remote Windows Performance Monitor Log source.

Domain user and Collector setup

In order to setup the Collector to pull windows perfmon logs, there are some prerequisite tasks you must perform:

  • The Collector must belong to the same domain as the systems it's going to collect from.
  • You must create a domain user, who also belongs to local administrator group on the target machine.
  • Windows firewall must be configured to allow RPC connections inbound.
  • Remote Registry service must be running.
  • NetBIOS over TCP/IP must be enabled.

Set up domain and local administrator user

Create a domain user, who belongs to the local administrator group on the target machine.

 

Set up Windows Firewall on the Target Machine

  1. Open up the Windows firewall from the Control Panel.
  2. On the left panel, click Allow a program or feature through Windows Firewall, check Windows Management Instrumentation, and save your change.

Configure to allow RPC traffic

1. Go to Firewall > Advanced settings > Inbound Rules > New Rule, on the popup window.
2. Choose Custom.

3. Click Next, then choose All Programs.
4. Then select Protocol and Ports:

5. Select the Windows Protocol and ports. Use: 

  • Protocol Type: TCP
  • Local Port: RPC Dynamic Ports

Ports required for communication are:    

  • TCP Port 135 (DCE/RPC Locator service)
  • TCP Port 139 (NetBIOS Session Service)
  • TCP Port 445 (Windows shares)
  • UDP 137
  • UDP 138

6. Click Next

7. Enter the IP restrictions (optional, but more secure). 

The local address should be the network address the Collector will connect to. The remote address should be the IP address the collect will use to talk to this Windows system. In the following screenshot, it's set to Any IP address.

8. Click Next

9. Select Allow the connection.

 10. Click Next

11. Then select the Domain.

 

 12. Give the rule a name, for example, "Allow Sumo Logic Collector IN".

Grant Admin full control to Registry Key

1. Launch regedit.exe as Administrator.
2. Find the following registry key: HKEY_CLASSES_ROOT\CLSID{76A64158-CB41-11D1-8B02-00600806D9B6}
3. Right-click and select Permissions.

 

 4. Click Advanced.

5. Click the Owner tab, and set the new owner as Administrators (group). 

6. Click Apply.

7. Click OK.

8. You will be returned to the main permissions page and set the new owner, Administrators, to have full control of this object:

9. Click OK.

10. Repeat steps 3-9 for the following registry key (if it exists):

HKLM\Software\Classes\Wow6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}

11. Finally, from services.msc, restart Remote Registry Service. 

 

These registry key changes are necessary because Sumo Logic leverages Jinterop, a Java-DCOM bridge, to communicate with the remote machine and gather perf logs via WMI through DCOM. Several major software vendors have documented a requirement to make a similar change in order to allow script access. 

The reason that the key's owner is changed from Trustedinstaller to Administrators is so that Sumo Logic can grant Administrators full control. If you can directly grant Administrators full control via GPO, you can skip this step. You can also change the owner back to Trustedinstaller afterwards.

Enable NetBIOS over TCP/IP

  1. Click Start, and then click Network. (Click Start, type ncpa.cpl into the search box for Windows 7 or Vista, and hit ENTER.)
  2. Click the Network and Sharing Center.
  3. Click Manage Network Connections.
  4. Right-click the Local Area Connection and select Properties.
  5. Select Internet Protocol version 4 (TCP/IPv4).
  6. Click the Advanced button under the General tab.
  7. Click the WINS tab.
  8. Click Enable NetBIOS Over TCP/IP.
  9. Click OK and exit the settings.

Validating Dynamic RPC Port Access Through Firewalls

On Windows Vista and 2008+, the default dynamic port range is 49152-65535. On older Windows systems, the default dynamic port range is 1025-5000.

Make sure that:

  1. The firewall is properly configured on the remote machine. Dynamic port ranges must be open. 
  2. If the remote machine IP is mapped to the range (10.*.*.*, 172.16->31.*.*, 192.168.*.*) and the Collector machine is not in the same private network then the remote machine will not be accessible. 
  3. Run port query to check if the remote machine ip:port is listening.

Download https://www.microsoft.com/en-us/download/details.aspx?id=17148

portqry -n ip -p tcp -o port
portqry -n ip -p tcp -o 135,139,445 
portqry -n ip -p udp -o 137,138

If the response is "FILTERED", then a firewall or VLAN could be blocking the port. 

If the response is "NOT LISTENING", then Sumo Logic can get to the machine, but it is not listening on that port number.

If you use a more strict Firewall policy and need to reduce the range of ports that are open, refer to the following Microsoft Technet article on how to restrict RPC port ranges in Windows:

http://support.microsoft.com/kb/154596