## ## SPDX-FileCopyrightText: 2021 Splunk, Inc. ## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 ## DO NOT EDIT THIS FILE! ## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local. ## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default ## into ../local and edit there. ## ## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk. ## [settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 0 checkpoint_sync_interval = 2 ## Pull event logs FROM the local system ## Usually disabled in favor of using WinEventLog inputs [WMI:LocalApplication] interval = 10 event_log_file = Application disabled = 1 [WMI:LocalSystem] interval = 10 event_log_file = System disabled = 1 [WMI:LocalSecurity] interval = 10 event_log_file = Security disabled = 1 ## Gather performance data FROM the local system ## Computer System [WMI:ComputerSystem] disabled = 1 ## Run once per day interval = 86400 wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem ## CPU ## Usually disabled in favor of Perfmon counters [WMI:CPUTime] interval = 3 wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor disabled = 1 ## Disk ## Usually disabled in favor of Perfmon counters [WMI:FreeDiskSpace] interval = 120 wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk disabled = 1 [WMI:LogicalDisk] interval = 120 wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk disabled = 1 [WMI:LocalPhysicalDisk] interval = 10 wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk disabled = 1 ## Memory ## Usually disabled in favor of Perfmon counters [WMI:Memory] interval = 5 wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory disabled = 1 ## Network ## Usuall disabled in favor of Perfmon counters [WMI:LocalNetwork] interval = 10 wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface disabled = 1 ## Processes [WMI:LocalProcesses] interval = 30 wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process disabled = 1 ## Scheduled Jobs ## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe. ## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard. [WMI:ScheduledJobs] disabled = 1 ## Run twice per day interval = 43200 wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob ## Services ## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx ## Lists all services registered on the system,if they are running,and the status [WMI:Service] disabled = 1 ## Run once an hour interval = 3600 wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service ## Update [WMI:InstalledUpdates] disabled = 1 ## Run once per day interval = 86400 wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering ## Uptime [WMI:Uptime] disabled = 1 ## Run once per day interval = 86400 wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System ## User Accounts [WMI:UserAccounts] disabled = 1 ## Run twice per day interval = 43200 wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true ## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza ## disabled = 1 ## Run twice per day ## interval = 43200 ## wql = SELECT * FROM Win32_AccountSID ## Version [WMI:Version] disabled = 1 ## Run once per day interval = 86400 wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem