Splunk® Add-on for Windows

Deploy and Use the Splunk Add-on for Windows

This documentation does not apply to the most recent version of Splunk® Add-on for Windows. For documentation on the most recent version, go to the latest release.

Configure the Splunk Add-on for Windows

You can enable or disable the inputs that come with the Splunk Add-on for Windows with configuration files.

Configure the add-on with configuration files

The Splunk Add-on for Windows must be configured with configuration files. You can configure the add-on manually or push a configuration with a deployment server.

The default configuration files for the Splunk Add-on for Windows reside in %SPLUNK_HOME%\etc\apps\Splunk_TA_windows\default. Do not edit the files in this directory because Splunk overwrites them whenever you upgrade the add-on. Create configuration files in the $SPLUNK_HOME%\etc\apps\Splunk_TA_windows\local directory and make your edits there.

To edit files, use a text editor such as Notepad (on Windows) or vi (on *nix). Only modify input stanzas whose defaults you want to change. If you do not edit any files, the add-on does not collect any Windows data.

For more information about configuration files, see About configuration files in the Splunk Enterprise Admin Manual.

Configure inputs.conf

Before the Splunk Add-on for Windows can collect data, you must configure inputs.conf and change the disabled attribute for the stanzas you want to enable to 0.

The [admon] input should only be enabled on one domain controller in a single domain. The [admon] input directly queries the Active Directory domain controllers. Enabling this input on multiple Splunk instances can disrupt your Active Directory servers and eventually make them unresponsive, preventing users from accessing needed services.

  1. If %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf does not exist, create it.
  2. Using a text editor, open the inputs.conf in local for editing.
  3. Enable the inputs that you want the add-on to collect data for by setting the disabled attribute for those input stanzas to 0.
  4. Save the file and close it.
  5. Copy the contents of the Splunk_TA_windows directory to %SPLUNK_HOME%\etc\apps on other forwarders or use a deployment server and Forwarder Management to distribute the add-on to other forwarders in your deployment.

Configure the add-on to render Windows Event Log events in XML

You can configure the Splunk Add-on for Windows to render Windows Event Log events in eXtensible Markup Language (XML) format. This feature only works on Windows Server 2008 R2 and later operating systems.

To enable XML Event Log events,

  1. If %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf does not already exist, create it.
  2. Using a text editor, open both %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf and %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\default\inputs.conf for editing.
  3. Copy the Event Log monitoring stanzas whose defaults you want to change from %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\default\inputs.conf to %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf.
  4. Add the following line to Event Log monitoring stanzas that you want to generate XML Event Log events:
    renderXml = 1

    For example, if you want the Security Event Log channel to render events in XML, the Security Event Log stanza should look like this:

    [WinEventLog://Security]
    index=security
    current_only=1
    evt_resolve_ad_obj=0
    renderXml=1
    disabled=0
    
  5. Save the %SPLUNK_HOME%\etc\apps\Splunk_TA_Windows\local\inputs.conf file and close it.
  6. Deploy the add-on manually by copying the entire contents of the Splunk_TA_windows folder to %SPLUNK_HOME%\etc\apps on other Splunk Enterprise Instances, or use Forwarder Management to distribute the add-on to all forwarders in your deployment.
Last modified on 23 February, 2018
Deploy the Splunk Add-on for Windows with Forwarder Management   Use the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® Add-on for Windows: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.8.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters