Splunk® Enterprise

Getting Data In

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Monitor Windows printer information

Splunk Enterprise supports the monitoring of statistics about all of the printers and drivers, print jobs, and printer ports on the local Windows host. It can collect the following print system information:

  • Printer. Information on the print subsystem, such as the status of installed printers, and when printers get added or deleted.
  • Job. Information on print jobs, including who has printed what, details on the jobs, and the status of existing jobs.
  • Driver. Information on the print driver subsystem, including information on existing print drivers, and when a print driver gets added or removed.
  • Port. Information on printer ports installed on the system, and when they get added or removed.

Both full instances of Splunk Enterprise and universal forwarders support local collection of printer subsystem information. If you have Splunk Cloud and want to monitor printer subsystem information, use the universal forwarder to consume the information and forward it to your Splunk Cloud deployment.

The printer monitor input runs as a process called splunk-winprintmon.exe. This process runs once for every input you define, at the interval specified in the input. You can configure printer subsystem monitoring using Splunk Web or inputs.conf.

Why monitor printer information?

Windows printer monitoring gives you detailed information about your Windows printer subsystem. You can monitor any changes to the system, such as installation and removal of printers, print drivers, and ports, the starting and completion of print jobs, and learn who printed what when. When a printer failure occurs, you can use print monitoring information as a first step into the forensic process. With the Splunk Enterprise search language, you can give your team at-a-glance statistics on all printers in your Windows network.

What's required to monitor printer information?

Activity Required permissions
Monitor host information * Splunk Enterprise must run on Windows.
* Splunk Enterprise must run as the Local System user to read all local host information.

Security and remote access considerations

Splunk Enterprise must run as the Local System user to collect Windows print subsystem information by default.

Use a universal forwarder to send printer information from remote machines to an indexer. If you choose to install forwarders on your remote machines to collect printer subsystem data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine, and other permissions as detailed in Choose the Windows user Splunk Enterprise should run as in the Installation manual.

Use Splunk Web to configure printer information

Go to the Add New page

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

By Splunk Settings:

  1. Click Settings in the upper right corner of Splunk Web.
  2. Click Data Inputs.
  3. Click Local Windows print monitoring.
  4. Click New to add an input.

By Splunk Home:

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor print information from the local Windows machine.
  3. In the left pane, locate and select Local Windows print monitoring.

Select the input source

  1. In the Collection Name field, enter a unique name for this input that you will remember.
  2. In the Event Types list box, locate the print monitoring event types you want this input to monitor.
  3. Click once on each type you want to monitor. Splunk Enterprise moves the type from the "Available type(s)" window to the "Selected type(s)" window.
  4. To unselect a type, click on its name in the "Selected type(s)" window. Splunk Enterprise moves the counter from the "Selected type(s)" window to the "Available type(s)" window.
  5. (Optional) To select or unselect all of the types, click on the "add all" or "remove all" links. Important: Selecting all of the types can result in the indexing of a lot of data, possibly more than your license allows.
  6. In the Baseline control, click the Yes radio button to run the input as soon as it starts, and no further. Click No to run the input at the interval specified in the Interval (in minutes) field.
  7. Click the green Next button.

Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

  1. Select the appropriate Application context for this input.
  2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in About hosts.

    3. Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.

  3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
  4. Click Review.

Review your choices

After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads the "Success" page and begins indexing the specified print information.

Use inputs.conf to configure printer monitoring

You can edit inputs.conf to configure printer monitoring. For information on how to edit configuration files, see About configuration files in the Admin manual.

  1. Copy inputs.conf from %SPLUNK_HOME%\etc\system\default to etc\system\local .
  2. Use Explorer or the ATTRIB command to remove the file's "Read Only" flag.
  3. Open the file and edit it to enable Windows print monitoring inputs.
  4. Restart Splunk.

Print monitoring configuration values

Splunk Enterprise uses the following attributes in inputs.conf to monitor Windows printer subsystem information:

Attribute Required? Description
type Yes The type of host information to monitor. Can be one of printer, job, driver, or port. The input will not run if this variable is not present.
baseline No Whether or not to generate a baseline of the existing state of the printer, job, driver, or port. If you set this attribtue to 1, then Splunk Enterprise writes a baseline. This might take additional time and CPU resources when Splunk Enterprise starts.
disabled No Whether or not to run the input. If you set this attribute to 1, then Splunk Enterprise does not run the input.

Examples of Windows printer monitoring configurations

Following are some examples of how to use the Windows printer monitoring configuration attributes in inputs.conf. 

# Monitor printers on system.
[WinPrintMon://printer]
type = printer
baseline = 0

# Monitor print jobs.
[WinPrintMon://job]
type = job
baseline = 1

# Monitor printer driver installation and removal.
[WinPrintMon://driver]
type = driver
baseline = 1

# Monitor printer ports.
[WinPrintMon://port]
type = port
baseline = 1

Fields for Windows print monitoring data

When Splunk Enterprise indexes data from Windows print monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinPrintMon.

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows print monitoring.

Last modified on 01 December, 2020
PREVIOUS
Monitor Windows host information 		  NEXT
Monitor Windows network information

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.10, 6.3.1, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 7.0.13, 7.0.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters