We're using Meraki MX400 security appliances. The Meraki devices use WMI to grab information about who's logged into what. The issue I'm having is that on many occasions when people log onto a VMware View linked clone desktop, Meraki will misidentify the name of the client as a desktop in a pool that hasn't been in existence for many many months. I have checked ADUC, DNS, DHCP and WINS and have confirmed that those names do not exist anywhere in my network,
The Meraki tech has wanted me to gather AD logs on WMI Queries. I sent him the one listed in the event log area of the DC we'd be using to log in for this and he says its the wrong log, but has no information as to what log I should be pulling. I am not a WMI expert by any means. His words to me are:
The MX uses WMI queries to pull info for log on events on particular clients.
If you could grab the logs for a client on the AD that corroborate or conflict with the MX's output I can use that to scope the problem.
And then when I sent him the "wrong" log:
I don't think this is the correct log. This log shows instances of WMI queries occurring on the device, not the information a WMI query would grab.
If you're unsure how to gather and interpret the logs from AD I would recommend getting in touch with the relevant support.
And then finally when I reiterated that I've not been able to find anything:
If it appears that the MX is seeing false positive log on events for particular clients we'll need to check to see that there are no log on events for those clients in the AD server for the WMI to pull.
Can anyone help with this?