Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor Windows host information

Splunk Enterprise supports the monitoring of Windows host information - detailed statistics about the local Windows machine. It can collect the following information about the Windows host:

  • General computer: The make and model of the computer, its host name and the Active Directory domain it's in.
  • Operating system: The version and build number of the operating system installed on the computer, as well as any service packs; the computer name; the last time it was started, the amount of installed and free memory, and the system drive.
  • Processor: The make and model of the CPU(s) installed in the system, their speed and version, the number of processor(s) and core(s), and the processor ID.
  • Disk: A listing of all drives available to the system and, if available, their file system type and total and available space.
  • Network Adapter: Information about the installed network adapters in the system, including manufacturer, product name and MAC address.
  • Service: Information about the installed services on the system, including name, display name, description, path, service type, start mode, state, and status.
  • Process: Information on the running processes on the system, including the name, the command line (with arguments), when they were started, and the executable's path.
  • Application: Information on the applications that have been installed on the system, including their names and serial numbers, when and where they were installed, vendor, and version number.

Both full instances of Splunk Enterprise and universal forwarders support local collection of host information.

The host monitor input runs as a process called splunk-winhostmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure host monitoring using Splunk Web or inputs.conf.

Why monitor host information?

Windows host monitoring allows you to get detailed information about your Windows systems. You can monitor any changes to the system, such as installation and removal of software, the starting and stopping of services, and even uptime. When a system failure occurs, you can use Windows host monitoring information as a first step into the forensic process. With the Splunk Enterprise search language, you can develop dashboards and views which can give your team at-a-glance statistics on all machines in your Windows network.

What's required to monitor host information?

Activity: Required permissions:
Monitor host information * Splunk Enterprise must run on Windows
* Splunk Enterprise must run as the Local System user or a local administrator account to read all local host information

Security and remote access considerations

Splunk Enterprise must run as the Local System user to collect Windows host information by default.

Splunk recommends using a universal forwarder to send host information from remote machines to an indexer. Review "Introducing the universal forwarder" in the Forwarding Data manual for information about how to install, configure and use the forwarder to collect Windows host data.

If you choose to install forwarders on your remote machines to collect Windows host data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine from which you want to collect host data. The user requires other explicit permissions, as detailed in "Choose the Windows user Splunk Enterprise should run as" in the Installation manual.

Use Splunk Web to configure host monitoring

Configure local host monitoring

1. Click Settings in the upper right-hand corner of Splunk Web.

2. In the pop-up that appears, under Data, click Data Inputs.

3. Click Local Windows host monitoring. Splunk Web loads the Windows host monitor page.

4. Click New to add an input. Splunk Web loads the Add new page.

5. In the Collection Name field, enter a name for the input that you'll remember.

6. Under the Types header, check the Windows host information types that you want this input to collect.

7. In the Run Once control, click the Yes radio button to tell Splunk Enterprise to run the input as soon as it starts, and no further. Click No to tell Splunk Enterprise to run the input at the interval specified in the Interval (in seconds) field.

8. In the Interval (in seconds) field, type in the amount of time between collection attempts.

9. Click Save.

Splunk Enterprise adds and enables the input.

Use inputs.conf to configure host monitoring

You can edit inputs.conf to configure host monitoring. For more information on configuring data inputs with inputs.conf, read "Configure your inputs" in this manual.

Note: You can always review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default or at the spec file in the Admin manual.

To enable host monitoring inputs by editing inputs.conf:

1. Create an inputs.conf in %SPLUNK_HOME%\etc\system\local and open it for editing.

2. Open %SPLUNK_HOME%\etc\system\default\inputs.conf and review it for the Windows event log inputs you want to enable.

3. Copy the Windows event log input stanzas you want to enable from %SPLUNK_HOME%\etc\system\default\inputs.conf.

4. Paste the stanzas you copied into %SPLUNK_HOME%\etc\system\local\inputs.conf.

5. Make edits to the stanzas to collect the Windows event log data you desire.

6. Save %SPLUNK_HOME%\etc\system\local\inputs.conf and close it.

7. Restart Splunk Enterprise.

The next section describes the specific configuration values for host monitoring.

Windows host monitor configuration values

Splunk Enterprise uses the following attributes in inputs.conf to monitor Windows host information:

Attribute Required? Description
interval Yes How often, in seconds, to poll for new data. If you set the interval to a negative number, Splunk Enterprise runs the input one time. If you do not define this attribute, the input will not run, as there is no default.
type Yes The type of host information to monitor. Can be one of Computer, operatingSystem, processor, disk, networkAdapter, service, process, driver, or application. The input will not run if this variable is not present.
disabled No Whether or not to run the input at all. If you set this attribute to 1, then Splunk Enterprise does not run the input.

Examples of Windows host monitoring configurations

Following are some examples of how to use the Windows host monitoring configuration attributes in inputs.conf

# Queries computer information.
[WinHostMon://computer]
type = Computer
interval = 300

# Queries OS information. 
# 'interval' set to a negative number tells Splunk Enterprise to
# run the input once only. 
[WinHostMon://os]
type = operatingSystem
interval = -1

# Queries processor information.
[WinHostMon://processor]
type = processor
interval = -1

# Queries hard disk information.
[WinHostMon://disk]
type = disk
interval = -1

# Queries network adapter information.
[WinHostMon://network]
type = networkAdapter
interval = -1

# Queries service information.
# This example runs the input ever 5 minutes.
[WinHostMon://service]
type = service
interval = 300

# Queries information on running processes.
# This example runs the input every 5 minutes.
[WinHostMon://process]
type = process
interval = 300

# Queries information on installed applications.
# This example runs the input every 5 minutes.
[WinHostMon://application]
type = application
interval = 300
 

Fields for Windows host monitoring data

When Splunk Enterprise indexes data from Windows host monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinHostMon.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows host information.

PREVIOUS
Monitor Windows performance in real time
  NEXT
Monitor Windows printer information

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters