Manually collect logs from a Windows host in ITSI
You can manually set up a universal forwarder to collect logs from a Windows host. Manually configure log collection for a host when you meet at least one of these conditions:
- You're collecting data from a host on a closed network with no internet access.
- You already installed a universal forwarder on the host.
- You don't have trusted URLs you can download the required packages from.
If you also want to manually collect metrics data from a Windows host, see Manually collect metrics from a Windows host in ITSI.
Prerequisites
Requirement | Description |
---|---|
Windows host | See Windows operating system support. |
Dependencies | See Required Windows dependencies. |
Administrator role |
In Splunk Enterprise, you have to be a user with the admin role. |
Steps
Follow these steps to manually collect logs from a Linux, Unix, or Mac OS X host.
1. Install the universal forwarder on Windows
Install a universal forwarder on the host. For information about installing a universal forwarder, see Install a Windows universal forwarder from an installer in the Forwarder Manual.
If you already installed a universal forwarder, you can skip this step.
2. Configure inputs.conf on the universal forwarder
Configure inputs.conf
on the universal forwarder to set up receiving and specify the log files to monitor in ITSI.
- Create the
${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config
directory if it doesn't already exist. - Create
inputs.conf
at${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config\local\
if it doesn't already exist. - Open
inputs.conf
with a text editor. - Add a stanza to reference each file or directory you want to monitor. For more information, see Monitor files and directories with inputs.conf in the Splunk Enterprise Getting Data In guide.
- (Optional) Add settings for each stanza that further configure each input, depending on what you want each input to do. For example, this stanza monitors log files in the
$SPLUNK_HOME\var\log\splunk\
directory:For more information, see Configuration settings in the Splunk Enterprise Getting Data in guide and inputs.conf in the Splunk Enterprise Admin Manual.[monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false
- When you're done, save and close the file.
- Restart splunkd. If you also need to configure
outputs.conf
in the next step, you can wait to restart splunkd until after you've configuredoutputs.conf
as well.$SPLUNK_HOME\bin\splunk restart
3. Configure outputs.conf on the universal forwarder
Configure outputs.conf
on the universal forwarder to define how the universal forwarder sends data to your Splunk platform deployment. If you've already done this, skip this step.
- Create the
${SPLUNK_HOME}\etc\apps\splunk_app_infra_uf_config
directory if it doesn't already exist. - Open
outputs.conf
with a text editor. - Add a stanza to define a forwarding target group or a single receiving host, depending on your deployment. For more information, see Configuration levels for outputs.conf in the Splunk Universal Forwarder Forwarder Manual.
- If you haven't already, add these stanzas to configure the host and receiving port:
host = <monitoring_machine> tcp://<receiver_port>
Setting Description monitoring_machine
The hostname or IP address of the Splunk Enterprise instance you want to send log data to. receiver_port
The port that your Splunk platform deployment uses to receive data. - Save and close
outputs.conf
. - Restart splunkd.
$SPLUNK_HOME\bin\splunk restart
Example inputs.conf file for a universal forwarder
[monitor://$SPLUNK_HOME\var\log\splunk\*.log*] sourcetype = uf disabled = false [WinEventLog://Application] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Security] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://System] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest [WinEventLog://Setup] checkpointInterval = 10 current_only = 0 disabled = 0 start_from = oldest
Example outputs.conf file for a universal forwarder
[tcpout] defaultGroup = splunk-app-infra-autolb-group [tcpout:splunk-app-infra-autolb-group] disabled = false server = <monitoring_machine>:<receiver_port>
Setting | Description |
---|---|
monitoring_machine
|
The hostname or IP address of the Splunk Enterprise instance you want to send log data to. |
receiver_port
|
The port that your Splunk platform deployment uses to receive data. |
Manually collect metrics from a Windows host in ITSI | Stop collecting data from a Windows host in ITSI |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.19.0, 4.19.1
Feedback submitted, thanks!