Splunk® Enterprise

Getting Data In

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Monitor Windows network information

With the Splunk platform, you can monitor detailed statistics about network activity into or out of a Windows machine. On Splunk Cloud Platform, you can monitor Windows network information from a universal forwarder that you install on the Windows machine from which you want to collect the information. Then, you can forward that data to Splunk Cloud Platform.

The Splunk platform can collect the following network information:

  • Network activity. When a Windows machine performs any kind of network action, the Splunk platform can monitor it.
  • Address family. Whether or not the network transaction was made over the IPv4 or IPv6 protocols.
  • Packet type. The type of packet sent in the transaction, such as a connect or transport packet.
  • Protocol. Whether or not the network transaction was made over the TCP or UDP protocols.
  • Hosts. Information about the hosts involved in the network transaction, including the local and remote hosts, the ports which the hosts used to communicate, and any available DNS information.
  • Application. Which application initiated the network transaction.
  • User. The user that initiated the network transaction, including their ID and SID.
  • Miscellany. Miscellaneous information about the network transaction, including the transport header size and whether or not the transaction was protected by IPSec.

Windows versions of Splunk Enterprise and the universal forwarder support local collection of network information.

The network monitor input runs as a process called splunk-netmon.exe. This process runs once for every input you define, at the interval you choose in the input. You can configure network monitoring using either Splunk Web or the inputs.conf configuration file.

Windows network monitoring is only available on 64-bit Windows systems. It does not function on 32-bit Windows systems.

Monitoring network information

Windows network monitoring gives you detailed information about your Windows network activity. You can monitor all transactions on the network, such as the initiation of a network connection by a user or process or whether or not the transaction uses the IPv4 or IPv6 address families. The network monitoring facilities in can help you detect and interrupt an incoming or outgoing denial of service attack by telling you the involved machines. With the Splunk search processing language, you can give your team at-a-glance statistics on all Windows network operations.

Requirements

Meet the following requirements before you monitor network information:

  • Splunk Enterprise or the universal forwarder must run on Windows. See Install on Windows in the Splunk Enterprise Installation Manual.
  • The Windows version on the machine must be one of the following:
    • Windows 8.1
    • Windows 10
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
  • The Windows system must have all available updates and service packs applied. Network monitoring input might not function if all updates are not present on your Windows machine.
  • Splunk Enterprise or the universal forwarder must run as the Local System user or a local administrator account to read all local host information.

Security and remote access considerations

The Splunk platform must run as the Local System user to collect Windows network information by default.

Use a universal forwarder to send host information from remote machines to an indexer when possible. If you choose to install forwarders on your remote machines to collect Windows network information, then install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run the Splunk platform as a user other than the Local System user, then that user must have local Administrator rights to the machine and other explicit permissions, as detailed in Choose the Windows user Splunk Enterprise should run as in the Installation manual.

Use the inputs.conf file to configure Windows network monitoring

To define a Windows network monitoring input, use the [WinNetMon://<name>] stanza in the inputs.conf file. The Splunk platform uses the following settings to configure the Windows network monitor input.

  1. Using a text editor, create the inputs.conf file in the %SPLUNK_HOME%\etc\system\local directory on the instance where you want to collect Windows network information.
  2. Add a [WinNetMon://<name>] stanza to the file.
  3. Specify one or more of the settings in the table following this task, based on how you want to configure monitoring of the Windows network.
  4. Save the file and close it.
  5. Restart the Splunk platform.
    Monitoring of the Windows network begins immediately.

The following table shows the settings you can configure to monitor a Windows network:

Setting Description Default
disabled = [0|1] Whether or not the input runs. Set to 1 to disable the input and 0 to enable it. 0 (enabled)
index = <string> The index that this input sends the data to. This attribute is optional. The default index
remoteAddress = <regular expression> Matches against the remote IP address involved in the network transaction. Accepts regular expressions that represent IP addresses only, not host names. Filters out events with remote addresses that do not match the regular expression. Passes through events with remote addresses that match the regular expression.

For example: 192\.163\..* matches all IP addresses in the 192.163.x.x range.

Empty string (matches everything)
process = <regular expression> Matches against the process or application name which performed the network access. Filters out events generated by processes that do not match the regular expression. Passes through events generated by processes that match the regular expression. Empty string (matches all processes or applications)
user = <regular expression> Matches against the user name which performed the network access. Filters out events generated by users that do not match the regular expression. Passes through events generated by users that match the regular expression. Empty string (includes access by all users)
addressFamily = [ipv4;ipv6] If set, matches against the address family used in the network access. Accepts semicolon-separated values, for example ipv4;ipv6. Empty string (includes all IP traffic)
packetType = [connect;accept;transport] Matches against the packet type used in the transaction. Accepts semicolon-separated values, for example connect;transport. Empty string (includes all packet types)
direction = [inbound;outbound] If set, matches against the general direction of the network traffic. Inbound means traffic coming into the monitoring machine, and outbound means traffic leaving the monitoring machine. Accepts semicolon-separated values, for example inbound;outbound. Empty string (includes both directions)
protocol = [tcp;udp] Matches against the specified network protocol.

tcp means Transmission Control Protocol, where networks use handshakes to and state to set up transactions. udp means User Datagram Protocol, a stateless, fire and forget network protocol.

Accepts semicolon-separated values, for example tcp;udp.

Empty string (includes both protocol types.)
readInterval = <integer> Advanced option. Use the default value unless there is a problem with input performance.

How often, in milliseconds, to read the network monitor filter driver. Allows for the adjustment of call frequency into the kernel driver. Higher frequencies might affect network performance, while lower frequencies can cause event loss. The minimum legal value is 10 and the maximum legal value is 1000.

100
driverBufferSize = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The number of network packets it keeps in the network monitor filter driver buffer. Controls the amount of packets that the driver caches. Lower values might result in event loss, while higher values might increase the size of non-paged memory. The minimum legal value is 128 and the maximum legal value is 8192.

1024
mode = <string> How to output each event. The Splunk platform can output each event in either single or multikv (key-value pair) mode. single
multikvMaxEventCount = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The maximum amount of events to output when you set mode to multikv. The minimum legal value is 10 and the maximum legal value is 500.

100
multikvMaxTimeMs = <integer> Advanced option. Use the default value unless there is a problem with input performance.

The maximum amount of time, in milliseconds, to output mulitkv events when you set mode to multikv. The minimum legal value is 100 and the maximum legal value is 5000.

1000

Use Splunk Web to configure host monitoring

You can only use Splunk Web to monitor Windows network information on a Splunk platform instance. In any other scenario, you must configure host monitoring with a configuration file.

Follow these high-level steps to configure host monitoring with Splunk Web:

  1. Go to the Add Data page.
  2. Select the input source.
  3. Specify input settings.
  4. Review your choices.

Go to the Add Data page

Choose one of the following options to get to the Add Data page.

To add data from settings, follow these steps:

  1. Click Settings in the upper right corner of Splunk Web.
  2. Click Data Inputs.
  3. Click Local Windows network monitoring.
  4. Click New to add an input.

To add data from the Splunk Web homepage, follow these steps:

  1. Click Add Data.
  2. Click Monitor to monitor network information from the local Windows machine or Forward to forward network information from another Windows machine.

    Forwarding network information requires additional setup.

    Splunk Web displays the Add Data - Select Source page.
  3. In the left pane, locate and select Local Windows network monitoring.

Select the input source

  1. In the Network Monitor Name field, enter a unique and memorable name for this input.
  2. Under Address family, check the IP address family types that you want the Splunk platform to monitor. The types are either IPv4 or IPv6.
  3. Under Packet Type, check the packet types you want the input to monitor. You can choose connect, accept, or transport.
  4. Under Direction, check the network directions that you want the input to monitor. Choose inbound to monitor toward the monitoring host or outbound to monitor away from the host.
  5. Under Protocol, check the network protocol types that you want the input to monitor. Choose tcp (Transmission Control Protocol) or udp (User Datagram Protocol).
  6. In the Remote address text field, enter the host name or IP address of a remote host whose network communications with the monitoring host that you want the input to monitor. If you want to monitor multiple hosts, enter a regular expression in this field.
  7. In the Process text field, enter the partial or full name of a process whose network communications you want the input to monitor. You can monitor multiple processes by entering a regular expression.
  8. In the User text field, enter the partial or full name of a user whose network communications you want the input to monitor. You can monitor multiple users by entering a regular expression.
  9. Click Next.

Specify input settings

You can specify application context, default host value, and index on the Input Settings page. All of these parameters are optional.

  1. Select the appropriate Application context for this input.
  2. Set the Host name. You have several choices for this setting. Learn more about setting the host value in About hosts.

    Host sets only the host field in the resulting events. It does not direct the Splunk platform to look on a specific host on your network.

  3. Set the Index that the Splunk platform will send data to. Leave the value as default unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has a number of utility indexes, which also appear in this drop-down list.
  4. Click Review.

Review your choices

After specifying all your input settings, review your selections. The Splunk platform lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they do not match what you want, click the left-pointing angle bracket (<) to go back to the previous step in the wizard. Otherwise, click Submit.

The success page loads, and the Splunk platform begins indexing the specified print information.


Fields for Windows network monitoring data

When the Splunk platform indexes data from Windows network monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinNetMon.

Last modified on 27 October, 2021
Monitor Windows printer information   Share HEC Data

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters