Monitor Windows host information
Splunk Enterprise supports the monitoring of detailed statistics about the local Windows machine. It can collect the following information about the Windows host:
- General computer. The make and model of the computer, its host name and the Active Directory domain it is in.
- Operating system. The version and build number of the operating system installed on the computer, as well as any service packs; the computer name; the last time it was started, the amount of installed and free memory, and the system drive.
- Processor. The make and model of the CPU(s) installed in the system, their speed and version, the number of processor(s) and core(s), and the processor ID.
- Disk. A listing of all drives available to the system and, if available, their file system type and total and available space.
- Network Adapter. Information about the installed network adapters in the system, including manufacturer, product name and MAC address.
- Service. Information about the installed services on the system, including name, display name, description, path, service type, start mode, state, and status.
- Process. Information on the running processes on the system, including the name, the command line (with arguments), when they were started, and the executable's path.
Both full instances of Splunk Enterprise and universal forwarders support local collection of host information.
The host monitor input runs as a process called
splunk-winhostmon.exe. This process runs once for every input defined, at the interval specified in the input. You can configure host monitoring using Splunk Web or
Why monitor host information?
Windows host monitoring gives you detailed information about your Windows hosts. You can monitor changes to the system, such as installation and removal of software, the starting and stopping of services, and uptime. When a system failure occurs, you can use Windows host monitoring information as a first step into the forensic process. With the Splunk Enterprise search language, you can give your team at-a-glance statistics on all machines in your Windows network.
What's required to monitor host information?
|Monitor host information|| * Splunk Enterprise must run on Windows.|
* Splunk Enterprise must run as the Local System user or a local administrator account to read all local host information.
Security and remote access considerations
Splunk Enterprise must run as the Local System user to collect Windows host information by default.
Splunk recommends using a universal forwarder to send host information from remote machines to an indexer. Review "The universal forwarder" in the Forwarding Data manual for information about how to install, configure and use the forwarder to collect Windows host data.
If you choose to install forwarders on your remote machines to collect Windows host data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights on the machine that you want to collect host data. It must also have other permissions, as detailed in "Choose the Windows user Splunk Enterprise should run as" in the Installation manual.
Use Splunk Web to configure host monitoring
Go to the Add New page
You can get there by two routes:
- Splunk Home
- Splunk Settings
By Splunk Settings:
1. Click Settings in the upper right corner of Splunk Web.
2. Click Data Inputs.
3. Click Files & Directories.
4. Click New to add an input.
By Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click Monitor to monitor host information from the local Windows machine.
Select the input source
1. In the left pane, locate and select Local Windows host monitoring.
2. In the Collection Name field, enter a unique name for this input that you will remember.
3. In the Event Types list box, locate the host monitoring event types you want this input to monitor.
4. Click once on each type you want to monitor. Splunk Enterprise moves the type from the "Available type(s)" window to the "Selected type(s)" window.
5. To unselect a type, click on its name in the "Selected type(s)" window. Splunk Enterprise moves the counter from the "Selected type(s)" window to the "Available type(s)" window.
6. (Optional) To select or unselect all of the types, click on the "add all" or "remove all" links. Important: Selecting all of the types can result in the indexing of a lot of data, possibly more than your license allows.
7. In the Interval field, enter the time, in seconds, between polling attempts for the input.
8. Click Next.
Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
1. Select the appropriate Application context for this input.
2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".
- Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
4. Click Review.
Review your choices
After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
1. Review the settings.
2. If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads the "Success" page and begins indexing the specified host information.
Use inputs.conf to configure host monitoring
You can edit
inputs.conf to configure host monitoring. For more information on how to edit configuration files, see "About configuration files" in the Admin manual.
1. Create an
%SPLUNK_HOME%\etc\system\local and open it for editing.
%SPLUNK_HOME%\etc\system\default\inputs.conf and review it for the Windows event log inputs you want to enable.
3. Copy the Windows event log input stanzas you want to enable from
4. Paste the stanzas you copied into
5. Make edits to the stanzas to collect the Windows event log data you desire.
%SPLUNK_HOME%\etc\system\local\inputs.conf and close it.
7. Restart Splunk Enterprise.
Windows host monitor configuration values
Splunk Enterprise uses the following attributes in
inputs.conf to monitor Windows host information.
||Yes||How often, in seconds, to poll for new data. If you set the interval to a negative number, Splunk Enterprise runs the input one time. If you do not define this attribute, the input does not run, as there is no default.|
||Yes|| The type of host information to monitor. Can be one of |
||No|| Whether or not to run the input. If you set this attribute to |
Examples of Windows host monitoring configurations
Following are some examples of how to use the Windows host monitoring configuration attributes in
# Queries computer information. [WinHostMon://computer] type = Computer interval = 300 # Queries OS information. # 'interval' set to a negative number tells Splunk Enterprise to # run the input once only. [WinHostMon://os] type = operatingSystem interval = -1 # Queries processor information. [WinHostMon://processor] type = processor interval = -1 # Queries hard disk information. [WinHostMon://disk] type = disk interval = -1 # Queries network adapter information. [WinHostMon://network] type = networkAdapter interval = -1 # Queries service information. # This example runs the input ever 5 minutes. [WinHostMon://service] type = service interval = 300 # Queries information on running processes. # This example runs the input every 5 minutes. [WinHostMon://process] type = process interval = 300
Fields for Windows host monitoring data
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows host information.
Monitor Windows data with PowerShell scripts
Monitor Windows printer information
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14