Splunk® Enterprise

Getting Data In

Download manual as PDF

Download topic as PDF

Monitor Windows network information

Splunk Enterprise supports the monitoring of detailed statistics about network activity into or out of a Windows host. It can collect the following network information:

  • Network activity. When a Windows machine performs any kind of network action, Splunk Enterprise can monitor it.
  • Address family. Whether or not the network transaction was made over the IPv4 or IPv6 protocols.
  • Packet type. The type of packet sent in the transaction (for example, a 'connect' or 'transport' packet.
  • Protocol. Whether or not the network transaction was made over the TCP or UDP protocols.
  • Hosts. Information about the hosts involved in the network transaction, including the local and remote hosts, the ports which the hosts used to communicate, and any available DNS information.
  • Application. Which application initiated the network transaction.
  • User. The user that initiated the network transaction, including his or her ID and SID.
  • Miscellany. Miscellaneous information about the network transaction, including the transport header size and whether or not the transaction was protected by IPSec.

Both full instances of Splunk Enterprise and universal forwarders support local collection of network information. If you have Splunk Cloud and want to monitor network information, use the universal forwarder to collect the data and forward it to your Splunk Cloud deployment.

The network monitor input runs as a process called splunk-netmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure network monitoring using Splunk Web or inputs.conf.

Windows network monitoring in Splunk Enterprise is only available on 64-bit Windows systems. It does not function on 32-bit Windows systems.

Why monitor network information?

Windows network monitoring gives you detailed information about your Windows network activity. You can monitor all transactions on the network, such as the initiation of a network connection by a user or process or whether or not the transaction uses the IPv4 or IPv6 address families. The network monitoring facilities in Splunk Enterprise can help you detect and interrupt an incoming (or outgoing) denial of service attack by telling you the involved machines. With Splunk Enterprise search language, you can give your team at-a-glance statistics on all Windows network operations.

What's required to monitor network information?

Activity Requirements
Monitor network information
  • Splunk must run on Windows.
  • The Windows version on the machine must be one of:
    • Windows Vista.
    • Windows 7.
    • Windows 8.
    • Windows 8.1.
    • Windows 10.
    • Windows Server 2008.
    • Windows Server 2008 R2.
    • Windows Server 2012 R2.
  • The Windows system must have all available updates and service packs applied, including the Kernel-Mode Driver Framework version 1.11 update on machines that run Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
  • Splunk must run as the Local System user or a local administrator account to read all local host information.

Security and remote access considerations

Splunk Enterprise must run as the Local System user to collect Windows network information by default.

Use a universal forwarder to send host information from remote machines to an indexer when possible. If you choose to install forwarders on your remote machines to collect Windows network information, then install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine and other explicit permissions, as detailed in Choose the Windows user Splunk Enterprise should run as in the Installation manual.

Use Splunk Web to configure host monitoring

Go to the Add New page

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

By Splunk Settings:

1. Click Settings in the upper right corner of Splunk Web.

2. Click Data Inputs.

3. Click Local Windows network monitoring.

4. Click New to add an input.

By Splunk Home:

1. Click the Add Data link in Splunk Home.

2. Click Monitor to monitor network information from the local Windows machine, or Forward to forward network information from another Windows machine. Splunk Web displays the "Add Data - Select Source" page.

Note: Forwarding network information requires additional setup.

3. In the left pane, locate and select Local Windows network monitoring.

Select the input source

1. In the Network Monitor Name field, enter a unique name for this input that you will remember.

2. Under Address family, check the IP address family types that you want Splunk Enterprise to monitor (either IPv4 or IPv6.)

3. Under Packet Type, check the packet types you want the input to monitor (any of connect, accept, or transport.)

4. Under Direction, check the network directions that you want the input to monitor (any of inbound (toward the monitoring host) or outbound (away from the monitoring host).

5. Under Protocol, check the network protocol types that you want the input to monitor (any of tcp (Transmission Control Protocol) or udp (User Datagram Protocol).

6. In the Remote address text field, enter the host name or IP address of a remote host whose network communications with the monitoring host that you want the input to monitor.

Note: If you want to monitor multiple hosts, enter a regular expression in this field.

7. In the Process text field, enter the partial or full name of a process whose network communications you want the input to monitor.

Note: As with the remote address, you can monitor multiple processes by entering a regular expression.

8. In the User text field, enter the partial or full name of a user whose network communications you want the input to monitor.

Note: As with the remote address and process entries, you can monitor multiple users by entering a regular expression in this field.

9. Click Next.

Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

1. Select the appropriate Application context for this input.

2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in About hosts.

Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.

3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.

4. Click Review.

Review your choices

After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

1. Review the settings.

2. If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click the green Submit button.

Splunk Enterprise then loads the "Success" page and begins indexing the specified print information.

Use inputs.conf to configure network monitoring

You can edit inputs.conf to configure network monitoring. For information on how to edit configuration files, see About configuration files in the Admin manual.

1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local.

2. Use Explorer or the ATTRIB command to remove the file's "Read Only" flag.

3. Open the file and edit it to enable Windows network monitoring inputs.

4. Restart Splunk.

The next section describes the specific configuration values for host monitoring.

Windows host monitor configuration values

To define a Windows network monitoring input, use the [WinNetMon://<name>] stanza in inputs.conf. Splunk Enterprise uses the following attributes to configure the Windows network monitor input.

Attribute Description Default
disabled = [0|1] Whether or not the input should run. Set to 1 to disable the input, and 0 to enable it. 0 (enabled)
index = <string> The index that this input should send the data to. This attribute is optional. The default index
remoteAddress = <regular expression> Matches against the remote IP address involved in the network transaction. Accepts regular expressions that represent IP addresses only, not host names. Filters out events with remote addresses that do not match the regular expression. Passes through events with remote addresses that match the regular expression.

For example: 192\.163\..* matches all IP addresses in the 192.163.x.x range.

(empty string - matches everything)
process = <regular expression> Matches against the process or application name which performed the network access. Filters out events generated by processes that do not match the regular expression. Passes through events generated by processes that match the regular expression. (empty string - matches all processes or applications)
user = <regular expression> Matches against the user name which performed network access. Filters out events generated by users that do not match the regular expression. Passes through events generated by users that match the regular expression. (empty string - includes access by all users)
addressFamily = [ipv4;ipv6] If set, matches against the address family used in the network access. Accepts semicolon-separated values, for example "ipv4;ipv6". (empty string - includes all IP traffic.)
packetType = [connect;accept;transport] Matches against the packet type used in the transaction. Accepts semicolon-separated values, for example "connect;transport". (empty string - includes all packet types.)
direction = [inbound;outbound]
  • If set, matches against the general direction of the network traffic.
  • "Inbound" means traffic coming into the monitoring machine, "outbound" means traffic leaving the monitoring machine.
  • Accepts semicolon-separated values, for example "inbound;outbound".
(empty string - includes both directions.)
protocol = [tcp;udp] Matches against the specified network protocol.

"tcp" means Transmission Control Protocol, where networks use handshakes to and state to set up transactions. "udp" means User Datagram Protocol, a stateless, "fire and forget" protocol.

Accepts semicolon-separated values, for example "tcp;udp".

(empty string - includes both protocol types.)
readInterval = <integer> Advanced option. Use the default value unless there is a problem with input performance.

How often, in milliseconds, to read the network monitor filter driver. Allows for the adjustment of call frequency into the kernel driver. Higher frequencies might affect network performance, while lower frequencies can cause event loss. The minimum legal value is 10 and the maximum legal value is 1000.

100
driverBufferSize = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The number of network packets it should keep in the network monitor filter driver buffer. Controls the amount of packets that the driver caches. Lower values might result in event loss, while higher values might increase the size of non-paged memory. The minimum legal value is 128 and the maximum legal value is 8192.

1024
mode = <string> How to output each event. Splunk Enterprise can output each event in either single or multikv (key-value pair) mode. single
multikvMaxEventCount = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The maximum amount of events to output when you set mode to multikv. The minimum legal value is 10 and the maximum legal value is 500.

100
multikvMaxTimeMs = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The maximum amount of time, in milliseconds, to output mulitkv events when you set mode to multikv. The minimum legal value is 100 and the maximum legal value is 5000.

1000

Fields for Windows network monitoring data

When Splunk Enterprise indexes data from Windows network monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinNetMon.

Confirm that your Windows machine is fully patched

If you encounter issues while running the network monitoring input on a Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 machine, confirm that you have updated the machine with all available patches, including the Kernel-Mode Driver Framework version 1.11 Update (http://support.microsoft.com/kb/2685811) that is part of Knowledge Base article 2685811. Network monitoring input might not function if this update is not present on your system.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows network monitoring.

PREVIOUS
Monitor Windows printer information
  NEXT
About the Splunk HTTP Event Collector

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters