parent
1f56bbc1c7
commit
75ca76b8d2
@ -0,0 +1,154 @@
|
||||
##
|
||||
## SPDX-FileCopyrightText: 2021 Splunk, Inc. <sales@splunk.com>
|
||||
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
||||
## DO NOT EDIT THIS FILE!
|
||||
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
||||
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
||||
## into ../local and edit there.
|
||||
##
|
||||
## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
|
||||
##
|
||||
|
||||
[settings]
|
||||
initial_backoff = 5
|
||||
max_backoff = 20
|
||||
max_retries_at_max_backoff = 0
|
||||
checkpoint_sync_interval = 2
|
||||
|
||||
## Pull event logs FROM the local system
|
||||
## Usually disabled in favor of using WinEventLog inputs
|
||||
[WMI:LocalApplication]
|
||||
interval = 10
|
||||
event_log_file = Application
|
||||
disabled = 1
|
||||
|
||||
[WMI:LocalSystem]
|
||||
interval = 10
|
||||
event_log_file = System
|
||||
disabled = 1
|
||||
|
||||
[WMI:LocalSecurity]
|
||||
interval = 10
|
||||
event_log_file = Security
|
||||
disabled = 1
|
||||
|
||||
|
||||
## Gather performance data FROM the local system
|
||||
|
||||
## Computer System
|
||||
[WMI:ComputerSystem]
|
||||
disabled = 1
|
||||
## Run once per day
|
||||
interval = 86400
|
||||
wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
|
||||
index=wineventlog
|
||||
|
||||
## CPU
|
||||
## Usually disabled in favor of Perfmon counters
|
||||
[WMI:CPUTime]
|
||||
interval = 3
|
||||
wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
## Disk
|
||||
|
||||
## Usually disabled in favor of Perfmon counters
|
||||
[WMI:FreeDiskSpace]
|
||||
interval = 120
|
||||
wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
[WMI:LogicalDisk]
|
||||
interval = 120
|
||||
wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
[WMI:LocalPhysicalDisk]
|
||||
interval = 10
|
||||
wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
## Memory
|
||||
## Usually disabled in favor of Perfmon counters
|
||||
[WMI:Memory]
|
||||
interval = 5
|
||||
wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
## Network
|
||||
## Usuall disabled in favor of Perfmon counters
|
||||
[WMI:LocalNetwork]
|
||||
interval = 10
|
||||
wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
|
||||
disabled = 0
|
||||
index=perfmon
|
||||
|
||||
## Processes
|
||||
[WMI:LocalProcesses]
|
||||
interval = 30
|
||||
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
|
||||
disabled = 0
|
||||
index=windows
|
||||
|
||||
## Scheduled Jobs
|
||||
|
||||
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
|
||||
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
|
||||
[WMI:ScheduledJobs]
|
||||
disabled = 1
|
||||
## Run twice per day
|
||||
interval = 43200
|
||||
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
|
||||
|
||||
## Services
|
||||
|
||||
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
|
||||
## Lists all services registered on the system,if they are running,and the status
|
||||
[WMI:Service]
|
||||
disabled = 1
|
||||
## Run once an hour
|
||||
interval = 3600
|
||||
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
|
||||
|
||||
|
||||
## Update
|
||||
[WMI:InstalledUpdates]
|
||||
disabled = 1
|
||||
## Run once per day
|
||||
interval = 86400
|
||||
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
|
||||
|
||||
|
||||
## Uptime
|
||||
[WMI:Uptime]
|
||||
disabled = 1
|
||||
## Run once per day
|
||||
interval = 86400
|
||||
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
|
||||
|
||||
|
||||
## User Accounts
|
||||
[WMI:UserAccounts]
|
||||
disabled = 1
|
||||
## Run twice per day
|
||||
interval = 43200
|
||||
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
|
||||
|
||||
## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
|
||||
## disabled = 1
|
||||
## Run twice per day
|
||||
## interval = 43200
|
||||
## wql = SELECT * FROM Win32_AccountSID
|
||||
|
||||
|
||||
## Version
|
||||
[WMI:Version]
|
||||
disabled = 1
|
||||
## Run once per day
|
||||
interval = 86400
|
||||
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
|
||||
Loading…
Reference in new issue