Splunk® Enterprise

Getting Data In

Monitor Windows host information

You can monitor detailed statistics about your local Windows machine with the Splunk platform.

If you use Splunk Cloud Platform, you must collect Windows host information with a forwarder and send it to your Splunk Cloud Platform deployment. Follow these high-level steps:

  1. Install the universal forwarder on the Windows machine that you want to collect the host information.
  2. Install the app to connect the universal forwarder to the Splunk Cloud Platform instance.
  3. Configure the forwarder to collect the Windows host information.

Both full instances of Splunk Enterprise and universal forwarders support direct, local collection of host information. On these instance types, the Windows host monitor input runs as a process called splunk-winhostmon.exe. This process runs once for every Windows host monitoring input that you define at the interval that you specify in the input. On Splunk Enterprise, you can configure host monitoring using Splunk Web, and on the universal forwarder you can configure the inputs using the inputs.conf configuration file.

Why monitor host information?

You can monitor hosts to get detailed information about your Windows machines. You can monitor changes to the system, such as installation and removal of software, the starting and stopping of services, and uptime. When a system failure occurs, you can use Windows host monitoring information as a first step into the forensic process. With the Splunk Search Processing Language, you can give your team statistics on all machines in your Windows network.

The Splunk platform can collect the following information about a Windows machine:

General computer
The make and model of the computer, its host name, and the Active Directory domain it is in.
Operating system
The version and build number of the operating system and service packs installed on the computer, the computer name, the last time it started, the amount of installed and free memory, and the system drive.
Processor
The make and model of the CPUs installed in the system, their speed and version, the number of processors and cores, and the processor ID.
Disk
A list of all drives available to the system and, if available, their file system type and total and available space.
Network adapter
Information about the installed network adapters in the system, including manufacturer, product name, and MAC address.
Service
Information about the installed services on the system, including name, display name, description, path, service type, start mode, state, and status.
Process
Information on the running processes on the system, including the name, the command line with arguments), when they were started, and the executable path.

Requirements

To monitor host information, you must fulfill the following requirements:

  • Splunk Cloud Platform must receive Windows host information from a forwarder.
  • The forwarder must run on Windows. See Install on Windows in the Installation Manual.
  • To read all Windows host information locally, the forwarder must run as the Local System Windows user or a local administrator user.

Security and remote access considerations

The universal forwarder must run as the Local System user to collect Windows host information by default.

Where possible, use a universal forwarder to send Windows host information from remote machines to Splunk Cloud Platform or a Splunk Enterprise indexer. You must use a universal forwarder to send Windows host information to Splunk Cloud Platform. Review the Forwarder Manual for information about how to install, configure, and use the universal forwarder to collect Windows host data.

If you choose to install forwarders on your remote machines to collect Windows host data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.

If you run Splunk Enterprise or the universal forwarder as a user other than the Local System user, then that user must have local administrator rights and other permissions on the machine that you want to collect host data. See Choose the Windows user Splunk Enterprise should run as in the Installation Manual.

Use the inputs.conf configuration file to configure host monitoring

To collect Windows host information on your Splunk Cloud Platform instance, you must configure a universal forwarder on the Windows machine that you want to collect host information. Then, you can send the data to Splunk Cloud Platform.

You can edit inputs.conf to configure host monitoring. For more information on how to edit configuration files, see About configuration files in the Admin Manual.

You can also configure this file directly on a Splunk Enterprise instance.

To configure host monitoring on inputs.conf, follow these steps:

  1. On the machine that you want to collect Windows host information, install a universal forwarder.
  2. Download and install the Splunk Cloud Platform universal forwarder credentials package on the forwarder.
  3. On the forwarder, use a text editor to create an inputs.conf configuration file in %SPLUNK_HOME%\etc\system\local and open it for editing.
  4. In the same text editor, open %SPLUNK_HOME%\etc\system\default\inputs.conf and review it for the Windows event log inputs you want to enable.
  5. Copy the Windows event log input stanzas you want to enable from %SPLUNK_HOME%\etc\system\default\inputs.conf.
  6. Paste the stanzas you copied into the %SPLUNK_HOME%\etc\system\local\inputs.conf file.
  7. Make edits to the stanzas that you copied to the %SPLUNK_HOME%\etc\system\local\inputs.conf file to collect the Windows event log data you want.
  8. Save the %SPLUNK_HOME%\etc\system\local\inputs.conf file and close it.
  9. Restart the universal forwarder.

When the Splunk platform indexes data from Windows host monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinHostMon.

Windows host monitor configuration values

Splunk Enterprise and the universal forwarder use the following settings in the inputs.conf configuration file to monitor Windows host information.

Setting Required? Description
interval Yes How often, in seconds, to poll for new data. If you set the interval to a negative number, the Splunk platform runs the input one time. If you do not define this setting, the input does not run, as there is no default.
type Yes The type of host information to monitor. Can be one of Computer, operatingSystem, processor, disk, networkAdapter, service, process, or driver. The input does not run if this setting is not present.
disabled No Whether or not to run the input. If you set this setting to 1, then the platform instance does not run the input.

For examples, see Examples of Windows host monitoring configurations later in this topic.

Use Splunk Web to configure host monitoring

You can configure Windows host information on Splunk Web in Splunk Enterprise only. Follow these high-level steps to configure host monitoring through Splunk Web:

  1. Go to the Add Data page
  2. Select the input source
  3. (Optional) Specify input settings
  4. Review your choices

Go to the Add Data page

Follow these steps to get to the Add Data page from Settings:

  1. Click Settings > Data Inputs.
  2. Click Files & Directories.
  3. Click New Local File & Directory to add an input.

Follow these steps to get to the Add Data page from your Splunk Enterprise home page:

  1. Click Add Data on the page.
  2. Click Monitor to monitor host information from the local Windows machine.

Select the input source

  1. In the left pane, locate and select Local Windows host monitoring.
  2. In the Collection Name field, enter a unique, memorable name for this input.
  3. In the Event Types box, locate the host monitoring event types you want this input to monitor.
  4. Click once on each type you want to monitor.
    Splunk Enterprise moves the type from the Available type(s) window to the Selected type(s) window.
  5. To deselect a type, click its name in the Selected type(s) window.
    Splunk Enterprise moves the counter from the Selected type(s) window to the Available type(s) window.
  6. (Optional) To select or deselect all of the types, click the add all or remove all links.

    Selecting all of the types can index of a lot of data and might exceed the data limits of your license.

  7. In the Interval field, enter the time, in seconds, between polling attempts for the input.
  8. Click Next.

Specify input settings

Go to the Input Settings page to specify the application context, default host value, and index. All of these parameters are optional.

  1. Select the appropriate Application context for this input.
  2. Set the Host name. You have several choices for this setting. For more about setting the host value, see About hosts.

    Host sets the host field only in the resulting events. It does not configure Splunk Enterprise to look on a specific host on your network.

  3. Set the Index to send data to. Leave the value as default, unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has multiple utility indexes, which also appear in this dropdown list.
  4. Click Review.

Review your choices

After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If they do not match what you want, click the left-angle bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.

Splunk Enterprise then loads the Success page and begins indexing the specified host information.

When Splunk Enterprise indexes data from Windows host monitoring inputs, it sets the source for received events to windows. It sets the source type of the incoming events to WinHostMon.

Examples of Windows host monitoring configurations

The following examples of how to configure Windows host monitoring in inputs.conf.

# Queries computer information.
[WinHostMon://computer]
type = Computer
interval = 300

# Queries OS information. 
# 'interval' set to a negative number tells Splunk Enterprise to
# run the input once only. 
[WinHostMon://os]
type = operatingSystem
interval = -1

# Queries processor information.
[WinHostMon://processor]
type = processor
interval = -1

# Queries hard disk information.
[WinHostMon://disk]
type = disk
interval = -1

# Queries network adapter information.
[WinHostMon://network]
type = networkAdapter
interval = -1

# Queries service information.
# This example runs the input every 5 minutes.
[WinHostMon://service]
type = service
interval = 300

# Queries information on running processes.
# This example runs the input every 5 minutes.
[WinHostMon://process]
type = process
interval = 300 
Last modified on 27 October, 2021
Monitor Windows data with PowerShell scripts   Monitor Windows printer information

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters