Mindmajix

Monitor Windows Event Log Data-Splunk

Here, let us look at the ways to add Windows logs to Splunk from a local machine. We will see how to collect host information, such as CPU and memory usage.

Windows inputs

Splunk can accept data from a variety of Windows sources:

  • Windows Event Logs – Splunk can monitor logs generated by the Windows event log service on a local or remote Windows machine.
  • Remote monitoring over WMI – Splunk can use WMI to access log and performance data on remote machines. WMI (Windows Management Instrumentation) allows management information to be shared between management applications.
  • Registry monitoring – Splunk can monitor changes to the local Windows Registry using the Registry monitoring capability. You can also use a universal forwarder to gather Registry data from remote Windows machines.
  • Active Directory monitoring – Splunk can audit any modifications to Active Directory, including changes to users, group, machine, and group policy objects.

The most efficient way to gather data from any remote Windows machine is to install universal forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data.

Collect event logs from a local Windows Machine

You probably know that Windows record significant events on your computer (such as when a user logs on or when a program encounters an error). These logs are maintained by the Event Log Service and can be displayed using Event Viewer:
Screenshot_110

Splunk can monitor and collect logs generated by the Windows Event Log Service on a local or remote Windows machine.

NOTE – To read local event logs, Splunk must run as the Local System user.

Here are the steps to configure event log monitoring on a local machine:

Go to Settings > Data inputs:
Screenshot_111

Click Local event log collection:

Screenshot_112

In the Available log(s) list box, choose the Event Log channels, you want this input to monitor. We have selected Application, Security and System logs. You also need to choose the index that will store the data:
Screenshot_113

And that’s it! We can now search the Event logs from the local machine:
Screenshot_114

Collect performance counters

All performance counters that are available in the Windows Performance Monitor are also available in Splunk. You can collect performance data from both the local and remote hosts. Splunk allows you to analyse the collected data and ensure that your systems are running without a downtime.

NOTE – To be able to collect performance data on a local host, Splunk must run as the Local System user. If you want to collect performance data from a remote Windows host, Splunk must run as a domain or remote user with at least read access to WMI on the remote computer.

Here are the steps to collect performance data from a local Windows machine:

Go to Settings > Data inputs:

Screenshot_115

Click Local performance monitoring:

Screenshot_116

Click New to create a new configuration:

Screenshot_117

Enter the name of the collection under the Collection name field. Under the Available objects field, click Select Object and choose the object that you want to monitor. This will open up two boxes: Select Counters and Select Instances. Note that you can select only one performance object per data input. We’ve selected the Processor performance object:
Screenshot_118

In the Select Counters list box, select the performance counters, you want this input to monitor. In the Select Instances list box, select the instances that you want this input to monitor. The instance called _Total represents the total processor time used on all processors. In the Polling interval field, enter the time, in seconds, between polling attempts for the input:
Screenshot_119

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored:
Screenshot_120

Review your selections and click Submit:
Screenshot_121

And that’s it! We can now search the performance logs we’ve collected:
Screenshot_122

Collect Windows host information

Splunk enables you to collect detailed statistics about the local and remote Windows machines. You can collect information such as the computer hostname, the operating system version and build numbers, the CPU installed on the system, disk space, installed services, running processes…

NOTE – To collect host information, Splunk must run as the Local System user or a local administrator account. On remote Windows machines, you can use a universal forwarder to send host information to an indexer.

Here is how you can collect information about a local Windows machine:

Go to Settings > Data inputs:

Screenshot_123

Click Local Windows host monitoring:

Screenshot_124Click New to add an input:
Screenshot_125

In the Collection name field, enter the name for this input. In the Event types list box, select the host monitoring event types you would like to monitor. In the Interval field, enter the time, in seconds, between polling attempts for the input:
Screenshot_126

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored:
Screenshot_128

Review the information and click Submit:

Screenshot_129

And that’s it! We can now search the host information which we’ve collected:
Screenshot_130


0 Responses on Monitor Windows Event Log Data-Splunk"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.
Course Adviser

Fill your details, course adviser will reach you.