Hello, I have a question regarding collecting data from Windows systems using WMI input. My objectives are: To configure WMI input to collect metrics/logs from a Windows host. To verify that the WMI input configuration is correct and that data is being successfully ingested. To validate data collection using a basic and simple WMI query as a test. In particular, I would like to understand: how to confirm that the WMI connection and authentication are working correctly; which logs or debug options should be checked to verify that WMI input is receiving data; what minimal WMI queries are recommended for initial testing and validation. I have already reviewed the documentation, but I would appreciate practical guidance or best practices for initial setup and troubleshooting. Thank you in advance for your help. P.S. I have already checked the documentation 🙂

WMI Data Collection for Windows Systems The Logstash WMI input plugin has known reliability issues and isn't recommended. For Windows WMI metrics collection, use Metricbeat with the Windows module instead - it's stable, actively maintained, and works well with Energy Logserver. Quick Setup with Metricbeat 1. Installation Download Metricbeat from your ELS installation directory: install/Agents/beats/windows/metricbeat-oss-*.zip Or use the Integrations plugin in ELS GUI: Navigate to Integrations → Microsoft Windows Systems Click One Click to get preconfigured agent with dashboards 2. Basic WMI Configuration Edit modules.d/windows.yml : yaml - module: windows metricsets: ["wmi"] period: 10m wmi: namespace: "root\\cimv2" queries: # OS info - good for initial testing - class: Win32_OperatingSystem properties: - FreePhysicalMemory - NumberOfUsers - Caption # Process monitoring - class: Win32_Process properties: - Name - ProcessId - WorkingSetSize output.logstash: hosts: ["your-els-server:5044"] if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Verify It's Working Test configuration and connectivity: powershell cd "C:\Program Files\Metricbeat" .\metricbeat.exe test config .\metricbeat.exe test output if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Both should return OK status. Run in foreground to see live output: powershell .\metricbeat.exe -e if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Watch for: Connection to backoff(async(tcp://...)) established - Logstash connection working WMI query execution messages Any error output Check data reached Elasticsearch: bash curl localhost:9200/metricbeat-*/_search?pretty&size=2 if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Good Test Queries to Start With These WMI classes are lightweight and reliable for testing: yaml # System info - class: Win32_ComputerSystem properties: - Name - Domain - TotalPhysicalMemory # Disk info - class: Win32_LogicalDisk properties: - Name - FreeSpace - Size where: "DriveType = 3" # Local disks only # Service status - class: Win32_Service properties: - Name - State - StartMode where: "Name = 'W32Time'" if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Avoid: Win32_Product class - it's extremely slow and can trigger software repairs on the system. Troubleshooting No data appearing: Check logging.level: debug in metricbeat.yml View logs in C:\Program Files\Metricbeat\logs\ Verify WMI class exists: Get-WmiObject -Class Win32_OperatingSystem Permission errors: Metricbeat service needs WMI read permissions. Default NT AUTHORITY\SYSTEM account usually has sufficient access. Query timeouts: Some WMI queries are slow. Adjust timeout in config: yaml wmi: warning_threshold: 15m if(window.hljsLoader && !document.currentScript.parentNode.hasAttribute('data-s9e-livepreview-onupdate')) { window.hljsLoader.highlightBlocks(document.currentScript.parentNode); } Energy Logserver Integration The Integrations plugin automatically provides: Preconfigured WMI queries for common metrics Parsing pipelines for Windows data Ready-made dashboards for visualization This is the fastest way to get started. Resources Metricbeat Windows Module: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-windows.html WMI Metricset Details: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-windows-wmi.html Windows WMI Classes Reference: https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-classes

How to collect Windows metrics using WMI input and verify data ingestion

NumberOne

Hello,

I have a question regarding collecting data from Windows systems using WMI input.

My objectives are:

To configure WMI input to collect metrics/logs from a Windows host.
To verify that the WMI input configuration is correct and that data is being successfully ingested.
To validate data collection using a basic and simple WMI query as a test.

In particular, I would like to understand:

how to confirm that the WMI connection and authentication are working correctly;
which logs or debug options should be checked to verify that WMI input is receiving data;
what minimal WMI queries are recommended for initial testing and validation.

I have already reviewed the documentation, but I would appreciate practical guidance or best practices for initial setup and troubleshooting.

Thank you in advance for your help.

P.S. I have already checked the documentation 🙂

MichalW

WMI Data Collection for Windows Systems

The Logstash WMI input plugin has known reliability issues and isn't recommended. For Windows WMI metrics collection, use Metricbeat with the Windows module instead - it's stable, actively maintained, and works well with Energy Logserver.

Quick Setup with Metricbeat

1. Installation

Download Metricbeat from your ELS installation directory: install/Agents/beats/windows/metricbeat-oss-*.zip

Or use the Integrations plugin in ELS GUI:

Navigate to Integrations → Microsoft Windows Systems
Click One Click to get preconfigured agent with dashboards

2. Basic WMI Configuration

Edit modules.d/windows.yml:

yaml

- module: windows
  metricsets: ["wmi"]
  period: 10m
  wmi:
    namespace: "root\\cimv2"
    queries:
      # OS info - good for initial testing
      - class: Win32_OperatingSystem
        properties:
          - FreePhysicalMemory
          - NumberOfUsers
          - Caption
      
      # Process monitoring
      - class: Win32_Process
        properties:
          - Name
          - ProcessId
          - WorkingSetSize

output.logstash:
  hosts: ["your-els-server:5044"]

Verify It's Working

Test configuration and connectivity:

powershell

cd "C:\Program Files\Metricbeat"
.\metricbeat.exe test config
.\metricbeat.exe test output

Both should return OK status.

Run in foreground to see live output:

powershell

.\metricbeat.exe -e

Watch for:

Connection to backoff(async(tcp://...)) established - Logstash connection working
WMI query execution messages
Any error output

Check data reached Elasticsearch:

bash

curl localhost:9200/metricbeat-*/_search?pretty&size=2

Good Test Queries to Start With

These WMI classes are lightweight and reliable for testing:

yaml

# System info
- class: Win32_ComputerSystem
  properties:
    - Name
    - Domain
    - TotalPhysicalMemory

# Disk info  
- class: Win32_LogicalDisk
  properties:
    - Name
    - FreeSpace
    - Size
  where: "DriveType = 3"  # Local disks only

# Service status
- class: Win32_Service
  properties:
    - Name
    - State
    - StartMode
  where: "Name = 'W32Time'"

Avoid: Win32_Product class - it's extremely slow and can trigger software repairs on the system.

Troubleshooting

No data appearing:

Check logging.level: debug in metricbeat.yml
View logs in C:\Program Files\Metricbeat\logs\
Verify WMI class exists: Get-WmiObject -Class Win32_OperatingSystem

Permission errors: Metricbeat service needs WMI read permissions. Default NT AUTHORITY\SYSTEM account usually has sufficient access.

Query timeouts: Some WMI queries are slow. Adjust timeout in config:

yaml

wmi:
  warning_threshold: 15m

Energy Logserver Integration

The Integrations plugin automatically provides:

Preconfigured WMI queries for common metrics
Parsing pipelines for Windows data
Ready-made dashboards for visualization

This is the fastest way to get started.

Resources

Metricbeat Windows Module: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-windows.html
WMI Metricset Details: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-metricset-windows-wmi.html
Windows WMI Classes Reference: https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-classes