Databases Reference
In-Depth Information
Native Windows inputs
One nice thing about Windows is that system logs and many application logs go to
the same place. Unfortunately, that place is not a file, so native hooks are required to
access these events. Splunk makes those inputs available using stanzas of the form
[WinEventLog:LogName]
. For example, to index the
Security
log, the stanza simply
looks like this:
[WinEventLog:Security]
There are a number of supported attributes, but the defaults are reasonable. The
only attribute I have personally used is
current_only
, which is the equivalent
of
followTail
for monitor stanzas. For instance, this stanza says to monitor the
Application
log, but to start reading from now:
[WinEventLog:Application]
current_only = 1
This is useful when there are many historical events on the server.
The other input available is
Windows Management Instrumentation
(
WMI
). With
WMI, you can:
• Monitor native performance metrics, like you would find in Windows
Performance Monitor
• Monitor the Windows Event Log API
• Run custom queries against the database behind WMI
• Query remote machines
Though it is theoretically possible to monitor many Windows
servers using WMI and a few Splunk forwarders, this is not
advised. The configuration is complicated, does not scale well,
introduces complicated security implications, and is not thoroughly
tested. Also, reading Windows Event Logs via WMI produces
different output than the native input, and most apps that expect
Windows events will not function as expected.
The simplest way to generate the
inputs.conf
and
wmi.conf
configurations needed
for Windows Event Logs and WMI is to install
Splunk for Windows
on a Windows
host and then configure the desired inputs through the web interface. See the official
Splunk documentation for more examples.
Search WWH ::
Custom Search