Download and configure the Splunk Add-on for Windows
This topic discusses downloading and configuring the Splunk Add-on for Windows and deploying it to the deployment clients to gather Windows data and send it to the Splunk App for Windows Infrastructure indexers.
About the Splunk Add-on for Windows
The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Windows Infrastructure, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to:
- All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
- All Windows hosts from which you want Windows data.
- All indexers.
- All search heads.
- Basically, everywhere.
Download the Splunk Add-on for Windows
- Download the Splunk Add-on for Windows from Splunkbase and save it to an accessible place on the deployment server. You might need to sign in with your Splunk account before the download starts.
- When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
- Use an archive utility such as WinZip to unarchive the file to an accessible location.
Configure the Splunk Add-on for Windows
Before the add-on can collect Windows data, you must configure it.
Microsoft Windows event logs that are rendered in XML format will not populate in the Splunk App for Windows Infrastructure
- In the location where you unarchived the download file, locate the
Splunk_TA_Windows
directory. - Inside this directory, make a subdirectory
local
. - Copy the
inputs.conf
file in thedefault
subdirectory to thelocal
directory. - Open the
inputs.conf
in thelocal
subdirectory with a text editor, such as Notepad. - Enable the Windows inputs you want to get data for. Do this by changing the value of the
disabled
attribute in each input stanza from 1 to 0.At a minimum, enable the following sets of inputs. The
[admon]
input should only be enabled on one domain controller in a single domain. The[admon]
input directly queries the Active Directory domain controllers. Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services.
Input: Supported page(s): [WinEventLog://Application]
,[WinEventLog://Security]
,[WinEventLog://System]
Event Monitoring [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime]
Performance Monitoring [WinHostMon://Computer], [WinHostMon://Process], [WinHostMon://Processor], [WinHostMon://NetworkAdapter], [WinHostMon://Service], [WinHostMon://OperatingSystem], [WinHostMon://Disk], [WinHostMon://Driver], [WinHostMon://Roles]
(Host Monitoring inputs)Host Monitoring [WinPrintMon://printer], [WinPrintMon://driver], [WinPrintMon://port]
(Print Monitoring inputs)Print Monitoring [WinNetMon://inbound], [WinNetMon://outbound]
(Network Monitoring inputs)Network Monitoring - Save the
inputs.conf
file in thelocal
subdirectory.
What's next?
You have downloaded and configured the Splunk Add-on for Windows.
Next, you will deploy it to the deployment clients. Once they receive the add-on, they will use the configuration in the "send to indexer" app to send Windows data to the indexer.
Add the universal forwarder to the server class | Deploy the Splunk Add-on for Windows |
This documentation applies to the following versions of Splunk® App for Windows Infrastructure (Legacy): 1.4.1, 1.4.2, 1.4.3, 1.4.4
Feedback submitted, thanks!