I am looking to use WMI to get a number of events. Would someone be able to help me with the permissions that are needed for this? The point of this is to not us Local or Domain admins.
Also, does anyone know how much bandwidth a WMI event normally uses?
I would start with this document on allowing access to WMI.
The easiest way to access WMI calls without using a domain admin account would be to make the account a member of the "Performance Monitor" users group. Enable the account and enable the "Remote Enable" options for the account. You would also want to assign the user to the Distributed COM users as well.
I've had good luck with using the SIEM Collector Agent to send Microsoft events instead of WMI pulls. Sure, it means that an agent must be installed on the Windows system, but it is pretty small and I don't have to manage service accounts and permissions.
I am also using the SIEM collector for a large number of my systems. The problem is that is does not work on Server 2012. Plus, we are going through a merger, and have a number of systems that are not in ePO. I know the guys on the other side of the merger are not going to want to do a ton of manual configuration.
Okay, it was just a suggestion. I have it running on Server 2012-Core, although I did push it with ePO. I suspect it can be manually installed, but I haven't tried with a vanilla Server 2012.
You're right. It does install on Server 2012. I just now remember that you must have .Net 3.5 installed, and we would perfer to not install that, and the SIEM collector is not compatible with .Net 4.5