Monitor Windows network information
With the Splunk platform, you can monitor detailed statistics about network activity into or out of a Windows machine. On Splunk Cloud Platform, you can monitor Windows network information from a universal forwarder that you install on the Windows machine from which you want to collect the information. Then, you can forward that data to Splunk Cloud Platform.
The Splunk platform can collect the following network information:
- Network activity. When a Windows machine performs any kind of network action, the Splunk platform can monitor it.
- Address family. Whether or not the network transaction was made over the IPv4 or IPv6 protocols.
- Packet type. The type of packet sent in the transaction, such as a connect or transport packet.
- Protocol. Whether or not the network transaction was made over the TCP or UDP protocols.
- Hosts. Information about the hosts involved in the network transaction, including the local and remote hosts, the ports which the hosts used to communicate, and any available DNS information.
- Application. Which application initiated the network transaction.
- User. The user that initiated the network transaction, including their ID and SID.
- Miscellany. Miscellaneous information about the network transaction, including the transport header size and whether or not the transaction was protected by IPSec.
Windows versions of Splunk Enterprise and the universal forwarder support local collection of network information.
The network monitor input runs as a process called splunk-netmon.exe. This process runs once for every input you define, at the interval you choose in the input. You can configure network monitoring using either Splunk Web or the inputs.conf configuration file.
Windows network monitoring is only available on 64-bit Windows systems. It does not function on 32-bit Windows systems.
Monitoring network information
Windows network monitoring gives you detailed information about your Windows network activity. You can monitor all transactions on the network, such as the initiation of a network connection by a user or process or whether or not the transaction uses the IPv4 or IPv6 address families. The network monitoring facilities in can help you detect and interrupt an incoming or outgoing denial of service attack by telling you the involved machines. With the Splunk search processing language, you can give your team at-a-glance statistics on all Windows network operations.
Meet the following requirements before you monitor network information:
- Splunk Enterprise or the universal forwarder must run on Windows. See Install on Windows in the Splunk Enterprise Installation Manual.
- The Windows version on the machine must be one of the following:
- Windows 8.1
- Windows 10
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- The Windows system must have all available updates and service packs applied. Network monitoring input might not function if all updates are not present on your Windows machine.
- Splunk Enterprise or the universal forwarder must run as the Local System user or a local administrator account to read all local host information.
Security and remote access considerations
The Splunk platform must run as the Local System user to collect Windows network information by default.
Use a universal forwarder to send host information from remote machines to an indexer when possible. If you choose to install forwarders on your remote machines to collect Windows network information, then install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run the Splunk platform as a user other than the Local System user, then that user must have local Administrator rights to the machine and other explicit permissions, as detailed in Choose the Windows user Splunk Enterprise should run as in the Installation manual.
Use the inputs.conf file to configure Windows network monitoring
To define a Windows network monitoring input, use the
[WinNetMon://<name>] stanza in the inputs.conf file. The Splunk platform uses the following settings to configure the Windows network monitor input.
- Using a text editor, create the inputs.conf file in the %SPLUNK_HOME%\etc\system\local directory on the instance where you want to collect Windows network information.
- Add a
[WinNetMon://<name>]stanza to the file.
- Specify one or more of the settings in the table following this task, based on how you want to configure monitoring of the Windows network.
- Save the file and close it.
- Restart the Splunk platform.
Monitoring of the Windows network begins immediately.
The following table shows the settings you can configure to monitor a Windows network:
|disabled = [0|1]||Whether or not the input runs. Set to 1 to disable the input and 0 to enable it.||0 (enabled)|
|index = <string>||The index that this input sends the data to. This attribute is optional.||The default index|
|remoteAddress = <regular expression>||Matches against the remote IP address involved in the network transaction. Accepts regular expressions that represent IP addresses only, not host names. Filters out events with remote addresses that do not match the regular expression. Passes through events with remote addresses that match the regular expression.
For example: 192\.163\..* matches all IP addresses in the 192.163.x.x range.
|Empty string (matches everything)|
|process = <regular expression>||Matches against the process or application name which performed the network access. Filters out events generated by processes that do not match the regular expression. Passes through events generated by processes that match the regular expression.||Empty string (matches all processes or applications)|
|user = <regular expression>||Matches against the user name which performed the network access. Filters out events generated by users that do not match the regular expression. Passes through events generated by users that match the regular expression.||Empty string (includes access by all users)|
|addressFamily = [ipv4;ipv6]||If set, matches against the address family used in the network access. Accepts semicolon-separated values, for example
||Empty string (includes all IP traffic)|
|packetType = [connect;accept;transport]||Matches against the packet type used in the transaction. Accepts semicolon-separated values, for example
||Empty string (includes all packet types)|
|direction = [inbound;outbound]||If set, matches against the general direction of the network traffic. Inbound means traffic coming into the monitoring machine, and outbound means traffic leaving the monitoring machine. Accepts semicolon-separated values, for example
||Empty string (includes both directions)|
|protocol = [tcp;udp]||Matches against the specified network protocol.
Accepts semicolon-separated values, for example
|Empty string (includes both protocol types.)|
|readInterval = <integer>||Advanced option. Use the default value unless there is a problem with input performance.
How often, in milliseconds, to read the network monitor filter driver. Allows for the adjustment of call frequency into the kernel driver. Higher frequencies might affect network performance, while lower frequencies can cause event loss. The minimum legal value is 10 and the maximum legal value is 1000.
|driverBufferSize = <integer>||Advanced option. Use the default value unless there is a problem with input performance.
The number of network packets it keeps in the network monitor filter driver buffer. Controls the amount of packets that the driver caches. Lower values might result in event loss, while higher values might increase the size of non-paged memory. The minimum legal value is 128 and the maximum legal value is 8192.
|mode = <string>||How to output each event. The Splunk platform can output each event in either
|multikvMaxEventCount = <integer>||Advanced option. Use the default value unless there is a problem with input performance.
The maximum amount of events to output when you set
|multikvMaxTimeMs = <integer>||Advanced option. Use the default value unless there is a problem with input performance.
The maximum amount of time, in milliseconds, to output mulitkv events when you set
Use Splunk Web to configure host monitoring
You can only use Splunk Web to monitor Windows network information on a Splunk platform instance. In any other scenario, you must configure host monitoring with a configuration file.
Follow these high-level steps to configure host monitoring with Splunk Web:
- Go to the Add Data page.
- Select the input source.
- Specify input settings.
- Review your choices.
Go to the Add Data page
Choose one of the following options to get to the Add Data page.
To add data from settings, follow these steps:
- Click Settings in the upper right corner of Splunk Web.
- Click Data Inputs.
- Click Local Windows network monitoring.
- Click New to add an input.
To add data from the Splunk Web homepage, follow these steps:
- Click Add Data.
- Click Monitor to monitor network information from the local Windows machine or Forward to forward network information from another Windows machine.
Forwarding network information requires additional setup.Splunk Web displays the Add Data - Select Source page.
- In the left pane, locate and select Local Windows network monitoring.
Select the input source
- In the Network Monitor Name field, enter a unique and memorable name for this input.
- Under Address family, check the IP address family types that you want the Splunk platform to monitor. The types are either IPv4 or IPv6.
- Under Packet Type, check the packet types you want the input to monitor. You can choose connect, accept, or transport.
- Under Direction, check the network directions that you want the input to monitor. Choose inbound to monitor toward the monitoring host or outbound to monitor away from the host.
- Under Protocol, check the network protocol types that you want the input to monitor. Choose tcp (Transmission Control Protocol) or udp (User Datagram Protocol).
- In the Remote address text field, enter the host name or IP address of a remote host whose network communications with the monitoring host that you want the input to monitor. If you want to monitor multiple hosts, enter a regular expression in this field.
- In the Process text field, enter the partial or full name of a process whose network communications you want the input to monitor. You can monitor multiple processes by entering a regular expression.
- In the User text field, enter the partial or full name of a user whose network communications you want the input to monitor. You can monitor multiple users by entering a regular expression.
- Click Next.
Specify input settings
You can specify application context, default host value, and index on the Input Settings page. All of these parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name. You have several choices for this setting. Learn more about setting the host value in About hosts.
Host sets only the
hostfield in the resulting events. It does not direct the Splunk platform to look on a specific host on your network.
- Set the Index that the Splunk platform will send data to. Leave the value as default unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has a number of utility indexes, which also appear in this drop-down list.
- Click Review.
Review your choices
After specifying all your input settings, review your selections. The Splunk platform lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click the left-pointing angle bracket (<) to go back to the previous step in the wizard. Otherwise, click Submit.
The success page loads, and the Splunk platform begins indexing the specified print information.
Fields for Windows network monitoring data
Monitor Windows printer information
Share HEC Data
This documentation applies to the following versions of Splunk Cloud Platform™: 8.0.2006, 8.0.2007, 8.1.2009, 8.1.2011, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105, 8.2.2106, 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111