Home  >  Blog  >   Splunk

Monitor Windows Event Log Data – Splunk

Rating: 5
  
 
10360

Here, let us look at the ways to add Windows logs to Splunk from a local machine. We will see how to collect host information, such as CPU and memory usage.

Windows inputs

Splunk can accept data from a variety of Windows sources:

  • Windows Event Logs: Splunk can monitor logs generated by the Windows event log service on a local or remote Windows machine.
  • Remote monitoring over WMI: Splunk can use WMI to access log and performance data on remote machines. WMI (Windows Management Instrumentation) allows management information to be shared between management applications.
  • Registry monitoring: Splunk can monitor changes to the local Windows Registry using the Registry monitoring capability. You can also use a universal forwarder to gather Registry data from remote Windows machines.
  • Active Directory monitoring: Splunk can audit any modifications to Active Directory, including changes to users, group, machine, and group policy objects.

The most efficient way to gather data from any remote Windows machine is to install Universal Forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data.

Collect event logs from a local Windows Machine

You probably know that Windows record significant events on your computer (such as when a user logs on or when a program encounters an error). These logs are maintained by the Event Log Service and can be displayed using the Event Viewer:

Event Viewer

Splunk can monitor and collect logs generated by the Windows Event Log Service on a local or remote Windows machine.

NOTE – To read local event logs, Splunk must run as the Local System user.

Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free "Splunk Training" Demo !

MindMajix YouTube Channel

Here are the steps to configure event log monitoring on a local machine:

Go to Settings > Data inputs:

configure event log

 

Click Local event log collection:

Local event log collection

In the Available log(s) list box, choose the Event Log channels, you want this input to monitor. We have selected Application, Security and System logs. You also need to choose the index that will store the data:

Event Log channels

 

And that’s it! We can now search the Event logs from the local machine:

Event logs

 

Collect performance counters

All performance counters that are available in the Windows Performance Monitor are also available in Splunk. You can collect performance data from both the local and remote hosts. Splunk allows you to analyze the collected data and ensure that your systems are running without a downtime.

NOTE – To be able to collect performance data on the localhost, Splunk must run as the Local System user. If you want to collect performance data from a remote Windows host, Splunk must run as a domain or remote user with at least read access to WMI on the remote computer.

Here are the steps to collect performance data from a local Windows machine:

Go to Settings > Data inputs:

Data inputs

 

Click Local performance monitoring:

Local performance monitoring

Click New to create a new configuration:

new configuration

 

Enter the name of the collection under the Collection name field. Under the Available objects field, click Select Object and choose the object that you want to monitor. This will open up two boxes: Select Counters and Select Instances. Note that you can select only one performance object per data input. We’ve selected the Processor performance object:

Processor performance object

 

In the Select Counters list box, select the performance counters, you want this input to monitor. In the Select Instances list box, select the instances that you want this input to monitor. The instance called _Total represents the total processor time used on all processors. In the Polling interval field, enter the time, in seconds, between polling attempts for the input:

Polling interval field

 

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored:

App Context

 

Review your selections and click Submit:

Submission window

 

And that’s it! We can now search the performance logs we’ve collected:

performance logs

 

                       Check Out Splunk frequently asked Interview Questions

Collect Windows host information

Splunk enables you to collect detailed statistics about the local and remote Windows machines. You can collect information such as the computer hostname, the operating system version and build numbers, the CPU installed on the system, disk space, installed services, running processes…

NOTE – To collect host information, Splunk must run as the Local System user or a local administrator account. On remote Windows machines, you can use a universal forwarder to send host information to an indexer.

Here is how you can collect information about a local Windows machine:

Go to Settings > Data inputs:

Data inputs

 

Click Local Windows host monitoring:

Local Windows host monitoring

 

Click New to add an input:

windows host monitor

 

In the Collection name field, enter the name for this input. In the Event types list box, select the host monitoring event types you would like to monitor. In the Interval field, enter the time, in seconds, between polling attempts for the input:

collection name window

 

Next, you can select the App Context for this input, the hostname value, and the index in which the data will be stored

app context window

Review the information and click Submit:

app data window

And that’s it! We can now search the host information which we’ve collected:

host information window

Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download Now!
Join our newsletter
inbox

Stay updated with our newsletter, packed with Tutorials, Interview Questions, How-to's, Tips & Tricks, Latest Trends & Updates, and more ➤ Straight to your inbox!

Course Schedule
NameDates
Splunk TrainingApr 20 to May 05View Details
Splunk TrainingApr 23 to May 08View Details
Splunk TrainingApr 27 to May 12View Details
Splunk TrainingApr 30 to May 15View Details
Last updated: 03 Apr 2023
About Author

 

Madhuri is a Senior Content Creator at MindMajix. She has written about a range of different topics on various technologies, which include, Splunk, Tensorflow, Selenium, and CEH. She spends most of her time researching on technology, and startups. Connect with her via LinkedIn and Twitter .

read more
Recommended Courses

1 / 15