Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor Windows network information

Splunk Enterprise supports the monitoring of Windows network information - detailed statistics about network activity into or out of a Windows machine. It can collect the following network information:

  • Network activity: When a Windows machine performs any kind of network action, you can use Splunk Enterprise to monitor it.
  • Address family: Whether or not the network transaction was made over the IPv4 or IPv6 protocols.
  • Packet type: The type of packet sent in the transaction (for example, a 'connect' or 'transport' packet.
  • Protocol: Whether or not the network transaction was made over the TCP or UDP protocols.
  • Hosts: Information about the hosts involved in the network transaction, including the local and remote hosts, the ports which the hosts used to communicate, and any available DNS information.
  • Application: Which application initiated the network transaction.
  • User: The user that initiated the network transaction, including his or her ID and SID.
  • Miscellany: Miscellaneous information about the network transaction, including the transport header size and whether or not the transaction was protected by IPSec.

Both full instances of Splunk Enterprise and universal forwarders support local collection of network information.

The network monitor input runs as a process called splunk-netmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure network monitoring using Splunk Web or inputs.conf.

Important: Windows network monitoring in Splunk Enterprise is only available on 64-bit Windows systems. It does not function on 32-bit Windows systems.

Why monitor network information?

Windows network monitoring allows you to get detailed information about your Windows network activity. You can monitor all transactions on the network, such as the initiation of a network connection by a user or process or whether or not the transaction uses the IPv4 or IPv6 address families. The network monitoring facilities in Splunk Enterprise can allow you to detect and interrupt an incoming (or outgoing) denial of service attack by telling you which machines are involved. With Splunk's search language, you can develop dashboards and views which can give your team at-a-glance statistics on all Windows network operations.

What's required to monitor network information?

Activity: Requirements:
Monitor network information
  • Splunk must run on Windows
  • The Windows version on the machine must be one of:
    • Windows Vista
    • Windows 7
    • Windows 8
    • Windows Server 2008
    • Windows Server 2008 R2, or
    • Windows Server 2012
  • The Windows system must have all available updates and service packs applied, including the Kernel-Mode Driver Framework version 1.11 update on machines that run Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.
  • Splunk must run as the Local System user or a local administrator account to read all local host information

Security and remote access considerations

Splunk Enteprise must run as the Local System user to collect Windows network information by default.

Splunk recommends using a universal forwarder to send host information from remote machines to an indexer. Review "Introducing the universal forwarder" in the Forwarding Data manual for information about how to install, configure and use the forwarder to collect Windows host data.

If you choose to install forwarders on your remote machines to collect Windows network information, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine from which you want to collect host data. The user requires other explicit permissions, as detailed in "Choose the Windows user Splunk Enterprise should run as" in the Installation manual.

Use Splunk Web to configure host monitoring

Configure local host monitoring

1. Click Settings in the upper right-hand corner of Splunk Web.

2. In the pop-up that appears, under Data, click Data Inputs.

3. Click Local Windows network monitoring. Splunk Web loads the Windows network monitoring page.

4. Click New to add an input. Splunk Web loads the Add new page.

5. In the Network monitor name field, enter a name for the input that you'll remember.

6. Under the Address family header, check the IP address family types that you want Splunk Enterprise to monitor (either IPv4 or IPv6.)

7. Under the Packet Type header, check the packet types you want the input to monitor (any of connect, accept, or transport.)

8. Under the Direction header, check the network directions that you want the input to monitor (any of inbound (toward the monitoring host) or outbound (away from the monitoring host).

9. Under the Protocol field, check the network protocol types that you want the input to monitor (any of tcp (Transmission Control Protocol) or udp (User Datagram Protocol).

10. In the Remote address text field, enter the host name or IP address of a remote host whose network communications with the monitoring host that you want the input to monitor.

Note: If you want to monitor multiple hosts, you can do so by entering a regular expression in this field.

11. In the Process text field, enter the partial or full name of a process whose network communications you want the input to monitor.

Note: As with the remote address, you can monitor multiple processes by entering a regular expression.

12. In the User text field, enter the partial or full name of a user whose network communications you want the input to monitor.

Note: As with the remote address and process entries, you can monitor multiple users by entering a regular expression in this field.

13. In the Index drop-down, select the index that you want the input to send its data to.

14. Click Save.

Splunk Enterprise adds and enables the input.

Use inputs.conf to configure network monitoring

You can edit inputs.conf to configure network monitoring. For more information on configuring data inputs with inputs.conf, read "Configure your inputs" in this manual.

Note: You can always review the defaults for a configuration file by looking at the examples in %SPLUNK_HOME%\etc\system\default or at the spec file in the Admin manual.

To enable network monitoring inputs by editing inputs.conf:

1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local.

2. Use Explorer or the ATTRIB command to remove the file's "Read Only" flag.

3. Open the file and edit it to enable Windows network monitoring inputs.

4. Restart Splunk.

The next section describes the specific configuration values for host monitoring.

Windows host monitor configuration values

To define a Windows network monitoring input, use the [WinNetMon://<name>] stanza in inputs.conf. Splunk Enterprise uses the following attributes to configure the Windows network monitor input:

Attribute: Description: Default:
disabled = [0|1]
  • Specifies whether the input is enabled or not.
  • Set to 1 to disable the input, and 0 to enable it.
 0 (enabled)
index = <string>
  • Specifies the index that this input should send the data to.
  • This attribute is optional.
 The default index
remoteAddress = <regular expression>
  • If set, matches against the remote IP address involved in the network transaction.
  • Accepts regular expressions which represent IP addresses only, not host names.
  • Filters out events with remote addresses that do not match the regular expression.
  • Passes through events with remote addresses that match the regular expression.
  • Example: 192\.163\..* matches all IP addresses in the 192.163.x.x range.
 (empty string - matches everything)
process = <regular expression>
  • If set, matches against the process or application name which performed network access
  • Filters out events generated by processes that do not match the regular expression.
  • Passes through events generated by processes that match the regular expression.
 (empty string - matches all processes or applications)
user = <regular expression>
  • If set, matches against the user name which performed network access
  • Filters out events generated by users that do not match the regular expression.
  • Passes through events generated by users that match the regular expression.
 (empty string - includes access by all users)
addressFamily = [ipv4;ipv6]
  • If set, matches against the address family used in the network access.
  • Accepts semicolon-separated values, for example "ipv4;ipv6".
 (empty string - includes all IP traffic.)
packetType = [connect;accept;transport]
  • If set, matches against the packet type used in the transaction.
  • Accepts semicolon-separated values, for example "connect;transport".
 (empty string - includes all packet types.)
direction = [inbound;outbound]
  • If set, matches against the general direction of the network traffic.
  • "Inbound" means traffic coming into the monitoring machine, "outbound" means traffic leaving the monitoring machine.
  • Accepts semicolon-separated values, for example "inbound;outbound".
 (empty string - includes both directions.)
protocol = [tcp;udp]
  • If set, matches against the specified network protocol.
  • "tcp" means Transmission Control Protocol, where networks use handshakes to and state to set up transactions.
  • "udp" means User Datagram Protocol, a stateless, "fire and forget" protocol.
  • Accepts semicolon-separated values, for example "tcp;udp".
 (empty string - includes both protocol types.)
readInterval = <integer>
  • Tells Splunk Enterprise how often, in milliseconds, to read the network monitor filter driver.
  • Advanced option. We recommend that you use the default value unless there is a problem with input performance.
  • Allows for the adjustment of call frequency into the kernel driver. Higher frequencies might affect network performance, while lower frequencies can cause event loss.
  • The minimum legal value is 10 and the maximum legal value is 1000.
 100
driverBufferSize = <integer>
  • Tells Splunk Enterprise the number of network packets it should keep in the network monitor filter driver buffer.
  • Advanced option. We recommend that you use the default value unless there is a problem with input performance.
  • Controls the amount of packets that the driver caches. Lower values might result in event loss, while higher values might increase the size of non-paged memory.
  • The minimum legal value is 128 and the maximum legal value is 8192.
 1024
mode = <string>
  • Tells Splunk Enterprise how to output each event.
  • Splunk Enterprise can output each event in either single or multikv (key-value pair) mode.
 single
multikvMaxEventCount = <integer>
  • Tells Splunk Enterprise the maximum amount of events to output when you set mode to multikv.
  • Advanced option. We recommend that you use the default value unless there is a problem with input performance.
  • The minimum legal value is 10 and the maximum legal value is 500.
 100
multikvMaxTimeMs = <integer>
  • Tells Splunk Enterprise the maximum amount of time, in milliseconds, to output mulitkv events when you set mode to multikv.
  • Advanced option. We recommend that you use the default value unless there is a problem with input performance.
  • The minimum legal value is 100 and the maximum legal value is 5000.
 1000

Fields for Windows network monitoring data

When Splunk Enterprise indexes data from Windows network monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinNetMon.

Ensure that your Windows machine is fully patched

If you encounter issues while running the network monitoring input on a Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 machine, make sure that you have updated the machine with all available patches, including the Kernel-Mode Driver Framework version 1.11 Update (http://support.microsoft.com/kb/2685811) that is part of Knowledge Base article 2685811. Network monitoring input might not function if this update is not present on your system.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows network monitoring.

Last modified on 11 September, 2014
PREVIOUS
Monitor Windows printer information 		  NEXT
Monitor First In, First Out (FIFO) queues

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters