
Monitor Windows network information
Splunk Enterprise supports the monitoring of Windows network information - detailed statistics about network activity into or out of a Windows machine. It can collect the following network information:
- Network activity: When a Windows machine performs any kind of network action, you can use Splunk Enterprise to monitor it.
- Address family: Whether or not the network transaction was made over the IPv4 or IPv6 protocols.
- Packet type: The type of packet sent in the transaction (for example, a 'connect' or 'transport' packet.
- Protocol: Whether or not the network transaction was made over the TCP or UDP protocols.
- Hosts: Information about the hosts involved in the network transaction, including the local and remote hosts, the ports which the hosts used to communicate, and any available DNS information.
- Application: Which application initiated the network transaction.
- User: The user that initiated the network transaction, including his or her ID and SID.
- Miscellany: Miscellaneous information about the network transaction, including the transport header size and whether or not the transaction was protected by IPSec.
Both full instances of Splunk Enterprise and universal forwarders support local collection of network information.
The network monitor input runs as a process called splunk-netmon.exe
. This process runs once for every input defined, at the interval specified in the input. You can configure network monitoring using Splunk Web or inputs.conf
.
Important: Windows network monitoring in Splunk Enterprise is only available on 64-bit Windows systems. It does not function on 32-bit Windows systems.
Why monitor network information?
Windows network monitoring allows you to get detailed information about your Windows network activity. You can monitor all transactions on the network, such as the initiation of a network connection by a user or process or whether or not the transaction uses the IPv4 or IPv6 address families. The network monitoring facilities in Splunk Enterprise can allow you to detect and interrupt an incoming (or outgoing) denial of service attack by telling you which machines are involved. With Splunk's search language, you can develop dashboards and views which can give your team at-a-glance statistics on all Windows network operations.
What's required to monitor network information?
Activity: | Requirements: |
---|---|
Monitor network information |
|
Security and remote access considerations
Splunk Enteprise must run as the Local System user to collect Windows network information by default.
Splunk recommends using a universal forwarder to send host information from remote machines to an indexer. Review "Introducing the universal forwarder" in the Forwarding Data manual for information about how to install, configure and use the forwarder to collect Windows host data.
If you choose to install forwarders on your remote machines to collect Windows network information, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine from which you want to collect host data. The user requires other explicit permissions, as detailed in "Choose the Windows user Splunk Enterprise should run as" in the Installation manual.
Use Splunk Web to configure host monitoring
Configure local host monitoring
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the pop-up that appears, under Data, click Data Inputs.
3. Click Local Windows network monitoring. Splunk Web loads the Windows network monitoring page.
4. Click New to add an input. Splunk Web loads the Add new page.
5. In the Network monitor name field, enter a name for the input that you'll remember.
6. Under the Address family header, check the IP address family types that you want Splunk Enterprise to monitor (either IPv4 or IPv6.)
7. Under the Packet Type header, check the packet types you want the input to monitor (any of connect, accept, or transport.)
8. Under the Direction header, check the network directions that you want the input to monitor (any of inbound (toward the monitoring host) or outbound (away from the monitoring host).
9. Under the Protocol field, check the network protocol types that you want the input to monitor (any of tcp (Transmission Control Protocol) or udp (User Datagram Protocol).
10. In the Remote address text field, enter the host name or IP address of a remote host whose network communications with the monitoring host that you want the input to monitor.
Note: If you want to monitor multiple hosts, you can do so by entering a regular expression in this field.
11. In the Process text field, enter the partial or full name of a process whose network communications you want the input to monitor.
Note: As with the remote address, you can monitor multiple processes by entering a regular expression.
12. In the User text field, enter the partial or full name of a user whose network communications you want the input to monitor.
Note: As with the remote address and process entries, you can monitor multiple users by entering a regular expression in this field.
13. In the Index drop-down, select the index that you want the input to send its data to.
14. Click Save.
Splunk Enterprise adds and enables the input.
Use inputs.conf to configure network monitoring
You can edit inputs.conf
to configure network monitoring. For more information on configuring data inputs with inputs.conf
, read "Configure your inputs" in this manual.
Note: You can always review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default
or at the spec file in the Admin manual.
- For more information on how to edit configuration files, see "About configuration files" in the Admin manual.
To enable network monitoring inputs by editing inputs.conf
:
1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default
to etc\system\local
.
2. Use Explorer or the ATTRIB
command to remove the file's "Read Only" flag.
3. Open the file and edit it to enable Windows network monitoring inputs.
4. Restart Splunk.
The next section describes the specific configuration values for host monitoring.
Windows host monitor configuration values
To define a Windows network monitoring input, use the [WinNetMon://<name>]
stanza in inputs.conf
. Splunk Enterprise uses the following attributes to configure the Windows network monitor input:
Attribute: | Description: | Default: |
---|---|---|
disabled = [0|1] |
|
0 (enabled) |
index = <string> |
|
The default index |
remoteAddress = <regular expression> |
|
(empty string - matches everything) |
process = <regular expression> |
|
(empty string - matches all processes or applications) |
user = <regular expression> |
|
(empty string - includes access by all users) |
addressFamily = [ipv4;ipv6] |
|
(empty string - includes all IP traffic.) |
packetType = [connect;accept;transport] |
|
(empty string - includes all packet types.) |
direction = [inbound;outbound] |
|
(empty string - includes both directions.) |
protocol = [tcp;udp] |
|
(empty string - includes both protocol types.) |
readInterval = <integer> |
|
100 |
driverBufferSize = <integer> |
|
1024 |
mode = <string> |
|
single
|
multikvMaxEventCount = <integer> |
|
100 |
multikvMaxTimeMs = <integer> |
|
1000 |
Fields for Windows network monitoring data
When Splunk Enterprise indexes data from Windows network monitoring inputs, it sets the source for received events to windows
. It sets the source type of the incoming events to WinNetMon
.
Ensure that your Windows machine is fully patched
If you encounter issues while running the network monitoring input on a Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 machine, make sure that you have updated the machine with all available patches, including the Kernel-Mode Driver Framework version 1.11 Update (http://support.microsoft.com/kb/2685811) that is part of Knowledge Base article 2685811. Network monitoring input might not function if this update is not present on your system.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows network monitoring.
PREVIOUS Monitor Windows printer information |
NEXT Monitor First In, First Out (FIFO) queues |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
Feedback submitted, thanks!