Monitor Windows printer information
With the Splunk platform, you can monitor statistics about all of the printers and drivers, print jobs, and printer ports on your local Windows machine. You can collect the following print system information:
- Printer. Information on the print subsystem, such as the status of installed printers and when printers get added or deleted.
- Job. Information on print jobs, including who printed what, details on the jobs, and the status of existing jobs.
- Driver. Information on the print driver subsystem, including information on existing print drivers and when a print driver gets added or removed.
- Port. Information on printer ports installed on the system and when they get added or removed.
Both full instances of the Splunk platform and universal forwarders support local collection of printer subsystem information. If you use Splunk Cloud Platform and want to monitor printer subsystem information, use the universal forwarder to ingest the information and forward it to your Splunk Cloud Platform deployment.
The printer monitor input runs as a process called splunk-winprintmon.exe. This process runs once for every input you define at the interval you specify in the input. You can configure printer subsystem monitoring using Splunk Web or the inputs.conf configuration file.
Reasons to monitor printer information
Windows printer monitoring gives you detailed information about your Windows printer subsystem. You can monitor any changes to the system, such as installation and removal of printers, print drivers, and ports, the starting and completion of print jobs, and learn who printed what and when. When a printer failure occurs, you can use print monitoring information as a first step into the forensic process. With the Splunk search processing language, you can give your team at-a-glance statistics on all printers in your Windows network.
Requirements
Meet the following requirements before you monitor host information:
- The Splunk platform must run on Windows. See Install on Windows in the Installation Manual.
- The Splunk platform must run as the Local System user to read all local host information.
Security and remote access considerations
The Splunk platform must run as the Local System user to collect Windows print subsystem information by default.
Use a universal forwarder to send printer information from remote machines to an indexer. If you choose to install forwarders on your remote machines to collect printer subsystem data, then you can install the forwarder as the Local System user on these machines. The Local System user has access to all data on the local machine, but not on remote machines.
If you run the Splunk platform as a user other than the Local System user, then that user must have local Administrator rights to the machine and other permissions as detailed in Choose the Windows user the Splunk platform should run as in the Installation Manual.
Use Splunk Web to configure printer information
Follow these high-level steps to configure printer information on Splunk Web:
- Go to the Add Data page.
- Select the input source.
- Specify input settings.
- Review your choices.
Go to the Add Data page
Choose one of the following methods to get to the Add Data page.
To add data from the Settings drop-down list, follow these steps:
- Click Settings.
- Click Data Inputs.
- Click Local Windows print monitoring.
- Click New to add an input.
To add data from the Splunk Web home page, follow these steps:
- Click Add Data.
- Click Monitor to monitor print information from the local Windows machine.
- In the left pane, locate and select Local Windows print monitoring.
Select the input source
- In the Collection Name field, enter a unique and memorable name for this input.
- In Event Types, locate the print monitoring event types you want this input to monitor.
- Click each type you want to monitor once.
The Splunk platform moves the type from the Available type(s) window to the Selected type(s) window. - To deselect a type, click its name in the Selected type(s) window.
The Splunk platform moves the counter from the Selected type(s) window to the Available type(s) window. - (Optional) To select or deselect all of the types, click Add all or Remove all.
Selecting all of the types can result in the indexing of a lot of data, possibly more than your license allows.
- In the Baseline control, click Yes to run the input as soon as it starts and no further. Click No to run the input at the interval specified in the Interval (in minutes) field.
- Click Next.
Specify input settings
You can specify application context, default host value, and index on the Input Settings page. All of these parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name. You have several choices for this setting. Learn more about setting the host value in About hosts.
- Set the Index that the Splunk platform will send data to. Leave the value as "default", unless you defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has a number of utility indexes, which also appear in this drop-down list.
- Click Review.
Host only sets the host field in the resulting events. It does not direct the Splunk platform to look on a specific host on your network.
Review your choices
After specifying all your input settings, review your selections. The Splunk platform lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click the left-pointing angle bracket (<) to go back to the previous step in the wizard. Otherwise, click Submit.
The Splunk platform loads the Success page and begins indexing the specified print information.
Use the inputs.conf configuration file to configure printer monitoring
You can edit the inputs.conf file to configure printer monitoring. Refer to the print monitoring configuration values and examples later in this topic.
- Open a shell prompt or PowerShell window.
- Change to the %SPLUNK_HOME%\etc\system\local directory.
- Use a text editor to open the inputs.conf file in this directory. You might need to create this file.
- Add
[WinPrintMon]
configuration stanzas, settings, and values to enable Windows print monitoring inputs. - Save the file and close it.
- Restart the Splunk platform.
For information on how to edit configuration files, see About configuration files in the Admin Manual.
Print monitoring configuration values
The Splunk platform uses the following settings in inputs.conf to monitor Windows printer subsystem information:
Attribute | Required? | Description |
---|---|---|
type
|
Yes | The type of host information to monitor. Can be printer , job , driver , or port . The input doesn't run if this variable isn't present.
|
baseline
|
No | Whether or not to generate a baseline of the existing state of the printer, job, driver, or port. If you set this attribute to 1, then the Splunk platform writes a baseline. This might take additional time and CPU resources when the Splunk platform starts.
|
disabled
|
No | Whether or not to run the input. If you set this setting to 1 , then the Splunk platform does not run the input.
|
Examples of Windows printer monitoring configurations
The following examples show how to use the Windows printer monitoring configuration settings in inputs.conf.
# Monitor printers on system. [WinPrintMon://printer] type = printer baseline = 0 # Monitor print jobs. [WinPrintMon://job] type = job baseline = 1 # Monitor printer driver installation and removal. [WinPrintMon://driver] type = driver baseline = 1 # Monitor printer ports. [WinPrintMon://port] type = port baseline = 1
Fields for Windows print monitoring data
When the Splunk platform indexes data from Windows print monitoring inputs, it sets the source for received events to windows
. It sets the source type of the incoming events to WinPrintMon
.
Monitor Windows host information | Monitor Windows network information |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!