Related Answers
Download topic as PDF
Monitor Windows printer information
Splunk Enterprise supports the monitoring of Windows print subsystem information - statistics about all of the printers and drivers, print jobs, and printer ports on the local machine. It can collect the following print system information:
- Printer: Information on the print subsystem, such as the status of installed printers, and when printers get added or deleted.
- Job: Information on print jobs, including who has printed what, details on the jobs, and the status of existing jobs.
- Driver: Information on the print driver subsystem, including information on existing print drivers, and when a print driver gets added or removed.
- Port: Information on printer ports installed on the system, and when they get added or removed.
Both full instances of Splunk Enterprise and universal forwarders support local collection of printer subsystem information.
The printer monitor input runs as a process called splunk-winprintmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure printer subsystem monitoring using Splunk Web or inputs.conf.
Why monitor printer information?
Windows printer monitoring allows you to get detailed information about your Windows printer subsystem. You can monitor any changes to the system, such as installation and removal of printers, print drivers, and ports, the starting and completion of print jobs, and learn who printed what when. When a printer failure occurs, you can use print monitoring information as a first step into the forensic process. With Splunk's search language, you can develop dashboards and views which can give your team at-a-glance statistics on all printers in your Windows network.
What's required to monitor printer information?
| Activity: | Required permissions: |
|---|---|
| Monitor host information | * Splunk Enterprise must run on Windows * Splunk Enterprise must run as the Local System user to read all local host information |
Security and remote access considerations
Splunk Enterprise must run as the Local System user to collect Windows print subsystem information by default.
Splunk recommends using a universal forwarder to send printer information from remote machines to an indexer. Review "Introducing the universal forwarder" in the Forwarding Data manual for information about how to install, configure and use the forwarder to collect print subsystem data.
If you choose to install forwarders on your remote machines to collect printer subsystem data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine from which you want to collect printer information. The user requires other explicit permissions, as detailed in "Choose the Windows user Splunk Enterprise should run as" in the Installation manual.
Use Splunk Web to configure printer information
Configure local print monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the pop-up that appears, under Data, click Data Inputs.
3. Click Local Windows print monitoring. Splunk Web loads the Windows print monitor page.
4. Click New to add an input. Splunk Web loads the Add new page.
5. In the Collection Name field, enter a name for the input that you'll remember.
6. Under the Types header, check the Windows print subsystem information types that you want this input to collect.
7. In the Baseline control, click the Yes radio button to tell Splunk Enterprise to run the input as soon as it starts, and no further. Click No to tell Splunk Enterprise to run the input at the interval specified in the Interval (in minutes) field.
8. Under the Index header, select an index which you want the printer subsystem data to go to, or leave it as is to send to the default index.
9. Click Save.
Splunk Enterprise adds and enables the input.
Use inputs.conf to configure host monitoring
You can edit inputs.conf to configure host monitoring. For more information on configuring data inputs with inputs.conf, read "Configure your inputs" in this manual.
Note: You can always review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default or at the spec file in the Admin manual.
- For more information on how to edit configuration files, see "About configuration files" in the Admin manual.
To enable print monitoring inputs by editing inputs.conf:
1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local .
2. Use Explorer or the ATTRIB command to remove the file's "Read Only" flag.
3. Open the file and edit it to enable Windows print monitoring inputs.
4. Restart Splunk.
The next section describes the specific configuration values for host monitoring.
Print monitoring configuration values
Splunk Enterprise uses the following attributes in inputs.conf to monitor Windows printer subsystem information:
| Attribute | Required? | Description |
|---|---|---|
type
|
Yes | The type of host information to monitor. Can be one of printer, job, driver, or port. The input will not run if this variable is not present.
|
baseline
|
No | Whether or not to generate a baseline of the existing state of the printer, job, driver, or port. If you set this attribtue to 1, then Splunk Enterprise writes a baseline. This might take additional time and CPU resources when Splunk Enterprise starts.
|
disabled
|
No | Whether or not to run the input at all. If you set this attribute to 1, then Splunk Enterprise does not run the input.
|
Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf.
# Monitor printers on system. [WinPrintMon://printer] type = printer baseline = 0 # Monitor print jobs. [WinPrintMon://job] type = job baseline = 1 # Monitor printer driver installation and removal. [WinPrintMon://driver] type = driver baseline = 1 # Monitor printer ports. [WinPrintMon://port] type = port baseline = 1
Fields for Windows print monitoring data
When Splunk Enterprise indexes data from Windows print monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinPrintMon.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows print monitoring.
|
PREVIOUS Monitor Windows host information |
NEXT Monitor Windows network information |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
Comments
"7. In the Baseline control, click the Yes radio button to tell Splunk to run the input as soon as it starts, and no further. Click No to tell Splunk to run the input at the interval specified in the Interval (in minutes) field."<br /><br />I've set "No" for the baseline option but I'm still seeing logs only at startup. I don't see an interval field (running v6.0.2). How do I set the interval for this input?
This DOES NOT work when print server is installed in a clustered environment. Please look at the case note 171469, if you have access to.<br /><br />Would be nice to have it fixed.