Monitor Windows Event Log Data – Splunk

Here, let us look at the ways to add Windows logs to Splunk from a local machine. We will see how to collect host information, such as CPU and memory usage.

Windows inputs

Splunk can accept data from a variety of Windows sources:

• Windows Event Logs: Splunk can monitor logs generated by the Windows event log service on a local or remote Windows machine.
• Remote monitoring over WMI: Splunk can use WMI to access log and performance data on remote machines. WMI (Windows Management Instrumentation) allows management information to be shared between management applications.
• Registry monitoring: Splunk can monitor changes to the local Windows Registry using the Registry monitoring capability. You can also use a universal forwarder to gather Registry data from remote Windows machines.
• Active Directory monitoring: Splunk can audit any modifications to Active Directory, including changes to users, group, machine, and group policy objects.

The most efficient way to gather data from any remote Windows machine is to install Universal Forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data.

Collect event logs from a local Windows Machine

You probably know that Windows record significant events on your computer (such as when a user logs on or when a program encounters an error). These logs are maintained by the Event Log Service and can be displayed using the Event Viewer:

Splunk can monitor and collect logs generated by the Windows Event Log Service on a local or remote Windows machine.

NOTE – To read local event logs, Splunk must run as the Local System user.

Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free "Splunk Training" Demo !

Here are the steps to configure event log monitoring on a local machine:

Go to Settings > Data inputs:

 

Click Local event log collection:

In the Available log(s) list box, choose the Event Log channels, you want this input to monitor. We have selected Application, Security and System logs. You also need to choose the index that will store the data:

 

And that’s it! We can now search the Event logs from the local machine:

 

Collect performance counters

All performance counters that are available in the Windows Performance Monitor are also available in Splunk. You can collect performance data from both the local and remote hosts. Splunk allows you to analyze the collected data and ensure that your systems are running without a downtime.

NOTE – To be able to collect performance data on the localhost, Splunk must run as the Local System user. If you want to collect performance data from a remote Windows host, Splunk must run as a domain or remote user with at least read access to WMI on the remote computer.

Here are the steps to collect performance data from a local Windows machine:

Go to Settings > Data inputs:

 

Click Local performance monitoring:

Click New to create a new configuration:

 

Enter the name of the collection under the Collection name field. Under the Available objects field, click Select Object and choose the object that you want to monitor. This will open up two boxes: Select Counters and Select Instances. Note that you can select only one performance object per data input. We’ve selected the Processor performance object:

 

In the Select Counters list box, select the performance counters, you want this input to monitor. In the Select Instances list box, select the instances that you want this input to monitor. The instance called _Total represents the total processor time used on all processors. In the Polling interval field, enter the time, in seconds, between polling attempts for the input:

 

Next, you can select the App Context for this input, the host name value, and the index in which the data will be stored:

 

Review your selections and click Submit:

 

And that’s it! We can now search the performance logs we’ve collected:

 

                       Check Out Splunk frequently asked Interview Questions

Collect Windows host information

Splunk enables you to collect detailed statistics about the local and remote Windows machines. You can collect information such as the computer hostname, the operating system version and build numbers, the CPU installed on the system, disk space, installed services, running processes…

NOTE – To collect host information, Splunk must run as the Local System user or a local administrator account. On remote Windows machines, you can use a universal forwarder to send host information to an indexer.

Here is how you can collect information about a local Windows machine:

Go to Settings > Data inputs:

 

Click Local Windows host monitoring:

 

Click New to add an input:

 

In the Collection name field, enter the name for this input. In the Event types list box, select the host monitoring event types you would like to monitor. In the Interval field, enter the time, in seconds, between polling attempts for the input:

 

Next, you can select the App Context for this input, the hostname value, and the index in which the data will be stored

Review the information and click Submit:

And that’s it! We can now search the host information which we’ve collected: