Monitor Windows host information
You can monitor detailed statistics about your local Windows machine with the Splunk platform.
If you use Splunk Cloud, you must collect Windows host information with a forwarder and send it to your Splunk Cloud deployment. Follow these high-level steps:
- Install the universal forwarder on the Windows machine that you want to collect the host information.
- Install the app to connect the universal forwarder to the Splunk Cloud instance.
- Configure the forwarder to collect the Windows host information.
Both full instances of Splunk Enterprise and universal forwarders support direct, local collection of host information. On these instance types, the Windows host monitor input runs as a process called
splunk-winhostmon.exe. This process runs once for every Windows host monitoring input that you define at the interval that you specify in the input. On Splunk Enterprise, you can configure host monitoring using Splunk Web, and on the universal forwarder you can configure the inputs using the inputs.conf configuration file.
Why monitor host information?
You can monitor hosts to get detailed information about your Windows machines. You can monitor changes to the system, such as installation and removal of software, the starting and stopping of services, and uptime. When a system failure occurs, you can use Windows host monitoring information as a first step into the forensic process. With the Splunk Search Processing Language, you can give your team statistics on all machines in your Windows network.
The Splunk platform can collect the following information about a Windows machine:
- General computer
- The make and model of the computer, its host name, and the Active Directory domain it is in.
- Operating system
- The version and build number of the operating system and service packs installed on the computer, the computer name, the last time it started, the amount of installed and free memory, and the system drive.
- The make and model of the CPUs installed in the system, their speed and version, the number of processors and cores, and the processor ID.
- A list of all drives available to the system and, if available, their file system type and total and available space.
- Network adapter
- Information about the installed network adapters in the system, including manufacturer, product name, and MAC address.
- Information about the installed services on the system, including name, display name, description, path, service type, start mode, state, and status.
- Information on the running processes on the system, including the name, the command line with arguments), when they were started, and the executable path.
To monitor host information, you must fulfill the following requirements:
- Splunk Cloud must receive Windows host information from a forwarder.
- The forwarder must run on Windows. See Install on Windows in the Installation Manual.
- To read all Windows host information locally, the forwarder must run as the Local System Windows user or a local administrator user.
Security and remote access considerations
The universal forwarder must run as the Local System user to collect Windows host information by default.
Where possible, use a universal forwarder to send Windows host information from remote machines to Splunk Cloud or a Splunk Enterprise indexer. You must use a universal forwarder to send Windows host information to Splunk Cloud. Review the Forwarder Manual for information about how to install, configure, and use the universal forwarder to collect Windows host data.
If you choose to install forwarders on your remote machines to collect Windows host data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run Splunk Enterprise or the universal forwarder as a user other than the Local System user, then that user must have local administrator rights and other permissions on the machine that you want to collect host data. See Choose the Windows user Splunk Enterprise should run as in the Installation Manual.
Use the inputs.conf configuration file to configure host monitoring
To collect Windows host information on your Splunk Cloud instance, you must configure a universal forwarder on the Windows machine that you want to collect host information. Then, you can send the data to Splunk Cloud.
You can edit inputs.conf to configure host monitoring. For more information on how to edit configuration files, see About configuration files in the Admin Manual.
You can also configure this file directly on a Splunk Enterprise instance.
To configure host monitoring on inputs.conf, follow these steps:
- On the machine that you want to collect Windows host information, install a universal forwarder.
- Download and install the Splunk Cloud universal forwarder credentials package on the forwarder.
- On the forwarder, use a text editor to create an inputs.conf configuration file in %SPLUNK_HOME%\etc\system\local and open it for editing.
- In the same text editor, open %SPLUNK_HOME%\etc\system\default\inputs.conf and review it for the Windows event log inputs you want to enable.
- Copy the Windows event log input stanzas you want to enable from %SPLUNK_HOME%\etc\system\default\inputs.conf.
- Paste the stanzas you copied into the %SPLUNK_HOME%\etc\system\local\inputs.conf file.
- Make edits to the stanzas that you copied to the %SPLUNK_HOME%\etc\system\local\inputs.conf file to collect the Windows event log data you want.
- Save the %SPLUNK_HOME%\etc\system\local\inputs.conf file and close it.
- Restart the universal forwarder.
Windows host monitor configuration values
Splunk Enterprise and the universal forwarder use the following settings in the inputs.conf configuration file to monitor Windows host information.
||Yes||How often, in seconds, to poll for new data. If you set the interval to a negative number, the Splunk platform runs the input one time. If you do not define this setting, the input does not run, as there is no default.|
||Yes||The type of host information to monitor. Can be one of |
||No||Whether or not to run the input. If you set this setting to |
For examples, see Examples of Windows host monitoring configurations later in this topic.
Use Splunk Web to configure host monitoring
You can configure Windows host information on Splunk Web in Splunk Enterprise only. Follow these high-level steps to configure host monitoring through Splunk Web:
- Go to the Add Data page
- Select the input source
- (Optional) Specify input settings
- Review your choices
Go to the Add Data page
Follow these steps to get to the Add Data page from Settings:
- Click Settings > Data Inputs.
- Click Files & Directories.
- Click New Local File & Directory to add an input.
Follow these steps to get to the Add Data page from your Splunk Enterprise home page:
- Click Add Data on the page.
- Click Monitor to monitor host information from the local Windows machine.
Select the input source
- In the left pane, locate and select Local Windows host monitoring.
- In the Collection Name field, enter a unique, memorable name for this input.
- In the Event Types box, locate the host monitoring event types you want this input to monitor.
- Click once on each type you want to monitor.
Splunk Enterprise moves the type from the Available type(s) window to the Selected type(s) window.
- To deselect a type, click its name in the Selected type(s) window.
Splunk Enterprise moves the counter from the Selected type(s) window to the Available type(s) window.
- (Optional) To select or deselect all of the types, click the add all or remove all links.
Selecting all of the types can index of a lot of data and might exceed the data limits of your license.
- In the Interval field, enter the time, in seconds, between polling attempts for the input.
- Click Next.
Specify input settings
Go to the Input Settings page to specify the application context, default host value, and index. All of these parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name. You have several choices for this setting. For more about setting the host value, see About hosts.
Host sets the host field only in the resulting events. It does not configure Splunk Enterprise to look on a specific host on your network.
- Set the Index to send data to. Leave the value as default, unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has multiple utility indexes, which also appear in this dropdown list.
- Click Review.
Review your choices
After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click the left-angle bracket ( < ) to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads the Success page and begins indexing the specified host information.
Examples of Windows host monitoring configurations
The following examples of how to configure Windows host monitoring in inputs.conf.
# Queries computer information. [WinHostMon://computer] type = Computer interval = 300 # Queries OS information. # 'interval' set to a negative number tells Splunk Enterprise to # run the input once only. [WinHostMon://os] type = operatingSystem interval = -1 # Queries processor information. [WinHostMon://processor] type = processor interval = -1 # Queries hard disk information. [WinHostMon://disk] type = disk interval = -1 # Queries network adapter information. [WinHostMon://network] type = networkAdapter interval = -1 # Queries service information. # This example runs the input every 5 minutes. [WinHostMon://service] type = service interval = 300 # Queries information on running processes. # This example runs the input every 5 minutes. [WinHostMon://process] type = process interval = 300
Monitor Windows data with PowerShell scripts
Monitor Windows printer information
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2109, 8.0.2007, 8.1.2011, 8.0.2006, 8.1.2009, 8.1.2012, 8.1.2101, 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107