admingit
/
Deploiement_Server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8f3b5cdeda'
${ noResults }
Deploiement_Server/deployment-apps/Splunk_TA_windows_local_only/local/inputs.conf

325 lines
11 KiB
Raw Blame History

# MS Windows AD Objects provided pre-defined - Base Windows inputs
# - Custom Input Settings from the Splunk_TA_windows TA
#
# ---------------------------------------------------------------------------------------
# **** IMPORTANT NOTE: ****
# This inputs.conf file needs to be added to the FULL Splunk_TA_windows application
# - Using Deployment Server: /Splunk/etc/deployment-apps/Splunk_TA_windows/local/ directory.
# - Manual/Other: /Splunk/etc/apps/Splunk_TA_windows/local directory
# ---------------------------------------------------------------------------------------
# NOTE:
# *** This inputs.conf only contains base Windows pre-defined and enabled inputs.
# They are configured to be leveraged by all windows systems, but can be adjusted as needed.
# *** Important: If using the other MS Windows AD Objects TA Example for an AD Domain Controller,
# Splunk_TA_windows_dc, then you will need to have both this TA and the Splunk_TA_windows_dc deployed
# to the AD Domain Controller.
# Special Notes:
# *** Predefined Settings and Changes from the default\inputs.conf: You can adjust these to match your requirements
# - Index Settings: All of the enabled inputs below have predefined indexes based off of standard
# - Perfmon.. Inputs:
# - mode Setting: The mode setting has been set to single, instead of multikv
# - interval Setting: The intervals for Perfmon data collection has been adjusted from default of 10,
# which is every 10 seconds, to 60, for once a minute. You can adjust as needed.
# - WinEventLogs - renderxml Setting: XML Rendering of the WinEventLogs... is set to false, instead of true.
# recommendations.
# *** Renaming the applications folder, from Splunk_TA_windows:
# - If you want to use a different name than Splunk_TA_windows then you will need to update script
# setting in the following inputs:
# - [powershell://generate_windows_update_logs]
# - [monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
# ---------------------------------------------------------------------------------------
###### Base OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index=wineventlog
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=wineventlog
###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=false
host=WinEventLogForwardHost
index=wineventlog
###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index=windows
## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1
index=windows
## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
index=windows
###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index=windows
[script://.\bin\win_installed_apps.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index=windows
[script://.\bin\win_timesync_status.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index=windows
[script://.\bin\win_timesync_configuration.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index=windows
[script://.\bin\netsh_address.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index=windows
###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index=windows
[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index=windows
[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index=windows
[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index=windows
[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index=windows
[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index=windows
[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index=windows
[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index=windows
[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index=windows
###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 1
index=windows
[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 1
index=windows
[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index=windows
###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
index=windows
[WinNetMon://outbound]
direction = outbound
disabled = 1
index=windows
###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 60
mode = single
object = Processor
useEnglishOnly=true
index=perfmon
## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = LogicalDisk
useEnglishOnly=true
index=perfmon
## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = PhysicalDisk
useEnglishOnly=true
index=perfmon
## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 60
mode = single
object = Memory
useEnglishOnly=true
index=perfmon
## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
instances = *
interval = 60
mode = single
object = Network Interface
useEnglishOnly=true
index=perfmon
## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 60
mode = single
object = Process
useEnglishOnly=true
index=perfmon
## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 60
mode = single
object = Processor Information
useEnglishOnly=true
index=perfmon
## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 60
mode = single
object = System
useEnglishOnly=true
index=perfmon
## Windows Registry
[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index=windows
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index=windows
[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index=windows
Reference in new issue View Git Blame Copy Permalink