Splunk® IT Essentials Work

Entity Integrations Manual

Manually collect logs from a Windows host in ITE Work

You can manually set up a universal forwarder to collect logs from a Windows host. Manually configure log collection for a host when you meet at least one of these conditions:

  • You're collecting data from a host on a closed network with no internet access.
  • You already installed a universal forwarder on the host.
  • You don't have trusted URLs you can download the required packages from.

If you also want to manually collect metrics data from a Windows host, see Manually collect metrics from a Windows host in ITE Work.

Prerequisites

Requirement Description
Windows host See Windows operating system support.
Dependencies See Required Windows dependencies.
Administrator role

In Splunk Enterprise, you have to be a user with the admin role.

Steps

Follow these steps to manually collect logs from a Linux, Unix, or Mac OS X host.

1. Install the universal forwarder on Windows

Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.

If you already installed a universal forwarder, you can skip this step.

2. Configure inputs.conf on the universal forwarder

Configure inputs.conf on the universal forwarder to set up receiving and specify the log files to monitor in ITE Work.

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Create inputs.conf at ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\ if it doesn't already exist.
  3. Open inputs.conf with a text editor.
  4. If you haven't already, add these stanzas to configure the host and receiving port:
    host = <monitoring_machine>
    
    tcp://<receiver_port>
    
    Setting Description
    monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
    receiver_port The port that your Splunk platform deployment uses to receive data.
  5. Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In guide.
  6. (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For example, this stanza monitors log files in the $SPLUNK_HOME\var\log\splunk\ directory:
    [monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
    sourcetype = uf
    disabled = false
    
    For more information, see Configuration settings in the Splunk Enterprise Getting Data in guide and inputs.conf in the Splunk Enterprise Admin Manual.
  7. When you're done, save and close the file.
  8. Restart splunkd. If you also need to configure outputs.conf in the next step, you can wait to restart splunkd until after you've configured outputs.conf as well.
    $SPLUNK_HOME\bin\splunk restart
    

3. Configure outputs.conf on the universal forwarder

Configure outputs.conf on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.

  1. Create the ${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config directory if it doesn't already exist.
  2. Open outputs.conf with a text editor.
  3. Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
  4. Save and close outputs.conf.
  5. Restart splunkd.
    $SPLUNK_HOME\bin\splunk restart
    

Example inputs.conf file for a universal forwarder

[monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

Example outputs.conf file for a universal forwarder

[tcpout]
defaultGroup = splunk-app-infra-autolb-group

[tcpout:splunk-app-infra-autolb-group]
disabled = false
server = <monitoring_machine>:<receiver_port>
Setting Description
monitoring_machine The hostname or IP address of the Splunk Enterprise instance you want to send log data to.
receiver_port The port that your Splunk platform deployment uses to receive data.
Last modified on 28 February, 2024
Manually collect metrics from a Windows host in ITSI   Troubleshoot the Windows entity integration in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.18.0, 4.18.1, 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters