Monitor Windows data with the Splunk platform
You can bring any kind of Windows data into the Splunk platform. For example, you can index an Event Log channel, the Registry, or Active Directory. You also have available the standard set of Splunk inputs, such as files and directories, network monitoring inputs, and scripted inputs.
With Splunk Cloud Platform, as with many other input types, you must use either a universal or heavy forwarder that runs on Windows to collect data and send it to your Splunk Cloud Platform instance. Splunk Enterprise comes with installers for several versions of Windows and Windows Server. If you run Splunk Enterprise, you can install it or the universal forwarder on your Windows machines directly.
The following specialized inputs are available only on Windows installations:
Input | Description | Documentation |
---|---|---|
Windows Event Logs | Monitor events that the Windows Event Log service generates on any available event log channel on the machine. You can collect events on the local Windows machine or remotely by using either a universal forwarder or Windows Management Instrumentation (WMI). | Monitor Windows event log data with Splunk Cloud |
Performance monitoring | Collect performance data on Windows machines with Splunk Cloud Platform and then alert or report on that data. Any performance counter that is available in Performance Monitor is also available to Splunk Cloud Platform. You can monitor performance locally or remotely through a universal forwarder, or by using WMI. | Monitor Windows performance |
Remote monitoring over WMI | Splunk Cloud Platform can use WMI through a universal forwarder to access event log and performance data on remote machines. | Monitor data through Windows Management Instrumentation (WMI) |
Registry monitoring | You can monitor changes to the local Windows Registry using the Registry monitoring capability. You can use a universal forwarder to gather Registry data from Windows machines and send the data to Splunk Cloud Platform. | Monitor Windows Registry data |
Active Directory monitoring | Splunk Cloud Platform can audit any changes to the Active Directory, including changes to user, group, machine, and group policy objects. You can forward Active Directory data to another Splunk Enterprise server. | Monitor Active Directory |
Forwarding Windows data to Splunk Cloud Platform
A Splunk Cloud Platform deployment that monitors Windows data consists of the following components:
- The Splunk Cloud Platform instance, where you see the Windows data.
- Universal forwarders on every Windows machine from which you want to collect Windows data.
Depending on the size of your Windows network, you might want to set up a tier of intermediate forwarders to aggregate and send the data to your Splunk Cloud Platform instance. If you want to transform this data in any way before you index it, you must use at least one Splunk Enterprise heavy forwarder to perform the transformations.
The universal forwarders on the Windows instances collect the Windows data. They then send the data to Splunk Cloud Platform using the Splunk Cloud Platform universal forwarder credentials package, which handles connecting and authenticating into the instance. If you set up an intermediate forwarder, this forwarder also uses the same credentials package to connect to and authenticate in Splunk Cloud Platform.
The Splunk Cloud Platform instance indexes the data and makes it available for you to search. You can install the Splunk App for Windows Infrastructure to view the Windows data in prebuilt dashboards and reports.
The universal forwarder must run as a user with access to the particular Windows data you want to collect. See Install a Windows universal forwarder for information on determining this Windows user.
Forwarding Windows data to Splunk Enterprise
Similar to forwarding Windows data to Splunk Cloud Platform, a Splunk Enterprise deployment that monitors Windows data consists of the Splunk Enterprise installation and, optionally, forwarders on every Windows machine from which you want to collect Windows data. Unlike a Splunk Cloud Platform deployment, Splunk Enterprise can exist on the same Windows machine.
If you want to forward Windows data from another Windows machine you can use a universal forwarder, like you can and must with a Splunk Cloud Platform deployment.
Considerations for installing Splunk Enterprise on Windows machines
When you install and deploy Splunk Enterprise on Windows, consider the following:
Consideration | Description |
---|---|
Authentication | To perform any operations on remote Windows machines in your network, Splunk Enterprise must run as a user with credentials to access those machines. Make these credentials available before deploying. See Considerations for deciding how to monitor remote Windows data. |
Disk bandwidth | Splunk Enterprise indexers require lots of disk I/O bandwidth, particularly when indexing large amounts of data. Make sure that you configure any installed antivirus software to avoid monitoring Splunk Enterprise directories or processes, because such scans significantly reduce performance. |
Shared hosts | Before you install Splunk Enterprise on a host that runs other services, such as Exchange, SQL Server, or a hypervisor, see Introduction to capacity planning for Splunk Enterprise in the Capacity Planning manual. |
Send SNMP events to your Splunk deployment | How to get Windows data into your Splunk deployment |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2112, 8.2.2201, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!