Monitoring Windows data with Splunk Enterprise
Splunk software can index many different kinds of Windows data. This data can be pretty much anything: an Event Log channel, the Registry, or Active Directory. You also have available the standard set of Splunk inputs, such as files and directories, the network monitoring inputs, and scripted inputs.
The following specialized inputs are available only on Windows installations of Splunk Enterprise. If you have Splunk Cloud and want to monitor these inputs, use the Splunk Universal Forwarder.
- Windows Event Logs. Monitor events generated by the Windows Event Log service on any available event log channel on the machine. You can collect events on the local machine or remotely by using either a universal forwarder or Windows Management Instrumentation (WMI).
- Performance monitoring. Collect performance data on Windows machines with Splunk Enterprise and then alert or report on that data. Any performance counter that is available in Performance Monitor is also available to Splunk Enterprise. You can monitor performance locally or remotely through a universal forwarder or WMI.
- Remote monitoring over WMI. Splunk Enterprise can use WMI to access event log and performance data on remote machines.
- Registry monitoring. You can monitor changes to the local Windows Registry using the Registry monitoring capability. You can use a universal forwarder to gather Registry data from remote machines.
- Active Directory monitoring. Splunk Enterprise can audit any changes to the Active Directory including changes to user, group, machine, and group policy objects. You can forward Active Directory data to another Splunk Enterprise server.
The Splunk App for Windows Infrastructure
The Splunk App for Windows Infrastructure provides data inputs, searches, reports, alerts, and dashboards for Windows server and desktop management. You can monitor, manage, and troubleshoot Windows operating systems from one place. The app includes inputs for CPU, disk I/O, memory, event logs, configurations, and user data, plus a web-based setup UI for indexing Windows event logs.
Initial considerations for deploying Splunk Enterprise on Windows
When you install and deploy Splunk Enterprise on Windows, consider the following:
- Authentication. To perform any operations on remote Windows machines in your network, Splunk Enterprise must run as a user with credentials to access those machines. Make these credentials available before deploying. See "Considerations for deciding how to monitor remote Windows data."
- Disk bandwidth. Splunk Enterprise indexers require lots of disk I/O bandwidth, particularly when indexing large amounts of data. Make sure that you configure any installed antivirus software to avoid monitoring Splunk Enterprise directories or processes, because such scans significantly reduce performance.
- Shared hosts. Before you install Splunk Enterprise on a host that runs other services, such as Exchange, SQL Server, or a hypervisor, see Introduction to capacity planning for Splunk Enterprise in the Capacity Planning manual.
The most efficient way to gather data from any Windows server is to install universal forwarders on the hosts that you want to gather data. Universal forwarders use limited resources. In some cases, such as Registry monitoring, you must use a forwarder, because you cannot collect Registry data over WMI.
Send SNMP events to your Splunk deployment
How to get Windows data into your Splunk deployment
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1, 7.3.2