Blog

  • Home
  • SPLUNK
  • Monitor Windows Event Log Data – Splunk

Monitor Windows Event Log Data – Splunk

  • (5.0)
  • | 3403 Ratings

Here, let us look at the ways to add Windows logs to Splunk from a local machine. We will see how to collect host information, such as CPU and memory usage.

Windows inputs

Splunk can accept data from a variety of Windows sources:

  • Windows Event Logs – Splunk can monitor logs generated by the Windows event log service on a local or remote Windows machine.
  • Remote monitoring over WMI – Splunk can use WMI to access log and performance data on remote machines. WMI (Windows Management Instrumentation) allows management information to be shared between management applications.
  • Registry monitoring – Splunk can monitor changes to the local Windows Registry using the Registry monitoring capability. You can also use a universal forwarder to gather Registry data from remote Windows machines.
  • Active Directory monitoring – Splunk can audit any modifications to Active Directory, including changes to users, group, machine, and group policy objects.

The most efficient way to gather data from any remote Windows machine is to install Universal Forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data.

Collect event logs from a local Windows Machine

You probably know that Windows record significant events on your computer (such as when a user logs on or when a program encounters an error). These logs are maintained by the Event Log Service and can be displayed using Event Viewer:

Event Viewer

Splunk can monitor and collect logs generated by the Windows Event Log Service on a local or remote Windows machine.

NOTE – To read local event logs, Splunk must run as the Local System user.

Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free Splunk TrainingDemo!

Here are the steps to configure event log monitoring on a local machine:

Go to Settings > Data inputs:

configure event log
 

Click Local event log collection:

Local event log collection
In the Available log(s) list box, choose the Event Log channels, you want this input to monitor. We have selected Application, Security and System logs. You also need to choose the index that will store the data:

Event Log channels
 

And that’s it! We can now search the Event logs from the local machine:

Event logs
 

Collect performance counters

All performance counters that are available in the Windows Performance Monitor are also available in Splunk. You can collect performance data from both the local and remote hosts. Splunk allows you to analyse the collected data and ensure that your systems are running without a downtime.

NOTE – To be able to collect performance data on a local host, Splunk must run as the Local System user. If you want to collect performance data from a remote Windows host, Splunk must run as a domain or remote user with at least read access to WMI on the remote computer.

Here are the steps to collect performance data from a local Windows machine:

Go to Settings > Data inputs:

Data inputs
 

Click Local performance monitoring:

Local performance monitoring
Click New to create a new configuration:

new configuration
 

Enter the name of the collection under the Collection name field. Under the Available objects field, click Select Object and choose the object that you want to monitor. This will open up two boxes: Select Counters and Select Instances. Note that you can select only one performance object per data input. We’ve selected the Processor performance object:

Processor performance object
 

In the Select Counters list box, select the performance counters, you want this input to monitor. In the Select Instances list box, select the instances that you want this input to monitor. The instance called _Total represents the total processor time used on all processors. In the Polling interval field, enter the time, in seconds, between polling attempts for the input:

Polling interval field
 

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored:

App Context
 

Review your selections and click Submit:

Submission window
 

And that’s it! We can now search the performance logs we’ve collected:

performance logs
 

                       Check Out Splunk Tutorials

Collect Windows host information

Splunk enables you to collect detailed statistics about the local and remote Windows machines. You can collect information such as the computer hostname, the operating system version and build numbers, the CPU installed on the system, disk space, installed services, running processes…

NOTE – To collect host information, Splunk must run as the Local System user or a local administrator account. On remote Windows machines, you can use a universal forwarder to send host information to an indexer.

Here is how you can collect information about a local Windows machine:

Go to Settings > Data inputs:

Data inputs
 

Click Local Windows host monitoring:

Local Windows host monitoring
 

Click New to add an input:

windows host monitor
 

In the Collection name field, enter the name for this input. In the Event types list box, select the host monitoring event types you would like to monitor. In the Interval field, enter the time, in seconds, between polling attempts for the input:

collection name window
 

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored

app context window
Review the information and click Submit:

app data window
And that’s it! We can now search the host information which we’ve collected:

host information window

Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download Now!


Subscribe For Free Demo

Free Demo for Corporate & Online Trainings.

Madhuri
About The Author

Madhuri is a Senior Content Creator at MindMajix. She has written about a range of different topics on various technologies, which include, Splunk, Tensorflow, Selenium, and CEH. She most of her time researching on technology, and startups. Connect with her via LinkedIn and Twitter .


DMCA.com Protection Status

Close
Close