
Monitor Windows printer information
Splunk Enterprise supports the monitoring of statistics about all of the printers and drivers, print jobs, and printer ports on the local Windows host. It can collect the following print system information:
- Printer. Information on the print subsystem, such as the status of installed printers, and when printers get added or deleted.
- Job. Information on print jobs, including who has printed what, details on the jobs, and the status of existing jobs.
- Driver. Information on the print driver subsystem, including information on existing print drivers, and when a print driver gets added or removed.
- Port. Information on printer ports installed on the system, and when they get added or removed.
Both full instances of Splunk Enterprise and universal forwarders support local collection of printer subsystem information. If you have Splunk Cloud and want to monitor printer subsystem information, use the universal forwarder to consume the information and forward it to your Splunk Cloud deployment.
The printer monitor input runs as a process called splunk-winprintmon.exe
. This process runs once for every input you define, at the interval specified in the input. You can configure printer subsystem monitoring using Splunk Web or inputs.conf
.
Why monitor printer information?
Windows printer monitoring gives you detailed information about your Windows printer subsystem. You can monitor any changes to the system, such as installation and removal of printers, print drivers, and ports, the starting and completion of print jobs, and learn who printed what when. When a printer failure occurs, you can use print monitoring information as a first step into the forensic process. With the Splunk Enterprise search language, you can give your team at-a-glance statistics on all printers in your Windows network.
What's required to monitor printer information?
Activity | Required permissions |
---|---|
Monitor host information | * Splunk Enterprise must run on Windows. * Splunk Enterprise must run as the Local System user to read all local host information. |
Security and remote access considerations
Splunk Enterprise must run as the Local System user to collect Windows print subsystem information by default.
Use a universal forwarder to send printer information from remote machines to an indexer. If you choose to install forwarders on your remote machines to collect printer subsystem data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run Splunk Enterprise as a user other than the "Local System" user, then that user must have local Administrator rights to the machine, and other permissions as detailed in Choose the Windows user Splunk Enterprise should run as in the Installation manual.
Use Splunk Web to configure printer information
Go to the Add New page
You can get there by two routes:
- Splunk Home
- Splunk Settings
By Splunk Settings:
- Click Settings in the upper right corner of Splunk Web.
- Click Data Inputs.
- Click Local Windows print monitoring.
- Click New to add an input.
By Splunk Home:
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor print information from the local Windows machine.
- In the left pane, locate and select Local Windows print monitoring.
Select the input source
- In the Collection Name field, enter a unique name for this input that you will remember.
- In the Event Types list box, locate the print monitoring event types you want this input to monitor.
- Click once on each type you want to monitor. Splunk Enterprise moves the type from the "Available type(s)" window to the "Selected type(s)" window.
- To unselect a type, click on its name in the "Selected type(s)" window. Splunk Enterprise moves the counter from the "Selected type(s)" window to the "Available type(s)" window.
- (Optional) To select or unselect all of the types, click on the "add all" or "remove all" links. Important: Selecting all of the types can result in the indexing of a lot of data, possibly more than your license allows.
- In the Baseline control, click the Yes radio button to run the input as soon as it starts, and no further. Click No to run the input at the interval specified in the Interval (in minutes) field.
- Click the green Next button.
Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name value. You have several choices for this setting. Learn more about setting the host value in About hosts.
- Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
- Click Review.
Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
Review your choices
After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads the "Success" page and begins indexing the specified print information.
Use inputs.conf to configure printer monitoring
You can edit inputs.conf
to configure printer monitoring. For information on how to edit configuration files, see About configuration files in the Admin manual.
- Copy inputs.conf from
%SPLUNK_HOME%\etc\system\default
toetc\system\local
. - Use Explorer or the
ATTRIB
command to remove the file's "Read Only" flag. - Open the file and edit it to enable Windows print monitoring inputs.
- Restart Splunk.
Print monitoring configuration values
Splunk Enterprise uses the following attributes in inputs.conf
to monitor Windows printer subsystem information:
Attribute | Required? | Description |
---|---|---|
type
|
Yes | The type of host information to monitor. Can be one of printer, job, driver , or port . The input will not run if this variable is not present.
|
baseline
|
No | Whether or not to generate a baseline of the existing state of the printer, job, driver, or port. If you set this attribtue to 1, then Splunk Enterprise writes a baseline. This might take additional time and CPU resources when Splunk Enterprise starts.
|
disabled
|
No | Whether or not to run the input. If you set this attribute to 1 , then Splunk Enterprise does not run the input.
|
Examples of Windows printer monitoring configurations
Following are some examples of how to use the Windows printer monitoring configuration attributes in inputs.conf
.
# Monitor printers on system. [WinPrintMon://printer] type = printer baseline = 0 # Monitor print jobs. [WinPrintMon://job] type = job baseline = 1 # Monitor printer driver installation and removal. [WinPrintMon://driver] type = driver baseline = 1 # Monitor printer ports. [WinPrintMon://port] type = port baseline = 1
Fields for Windows print monitoring data
When Splunk Enterprise indexes data from Windows print monitoring inputs, it sets the source for received events to windows
. It sets the source type of the incoming events to WinPrintMon
.
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around Windows print monitoring.
PREVIOUS Monitor Windows host information |
NEXT Monitor Windows network information |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.10, 6.3.1, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.1.0, 8.1.1, 7.0.13, 7.0.2
Feedback submitted, thanks!