You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 lines
4.3 KiB
153 lines
4.3 KiB
##
|
|
## SPDX-FileCopyrightText: 2024 Splunk, Inc.
|
|
## SPDX-License-Identifier: LicenseRef-Splunk-8-2021
|
|
## DO NOT EDIT THIS FILE!
|
|
## Please make all changes to files in $SPLUNK_HOME/etc/apps/Splunk_TA_windows/local.
|
|
## To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/apps/Splunk_TA_windows/default
|
|
## into ../local and edit there.
|
|
##
|
|
## This file contains possible attribute/value pairs for configuring WMI access FROM Splunk.
|
|
##
|
|
|
|
[settings]
|
|
initial_backoff = 5
|
|
max_backoff = 20
|
|
max_retries_at_max_backoff = 0
|
|
checkpoint_sync_interval = 2
|
|
|
|
## Pull event logs FROM the local system
|
|
## Usually disabled in favor of using WinEventLog inputs
|
|
[WMI:LocalApplication]
|
|
interval = 10
|
|
event_log_file = Application
|
|
disabled = 1
|
|
|
|
[WMI:LocalSystem]
|
|
interval = 10
|
|
event_log_file = System
|
|
disabled = 1
|
|
|
|
[WMI:LocalSecurity]
|
|
interval = 10
|
|
event_log_file = Security
|
|
disabled = 1
|
|
|
|
|
|
## Gather performance data FROM the local system
|
|
|
|
## Computer System
|
|
[WMI:ComputerSystem]
|
|
disabled = 1
|
|
## Run once per day
|
|
interval = 86400
|
|
wql = SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
|
|
|
|
|
|
## CPU
|
|
## Usually disabled in favor of Perfmon counters
|
|
[WMI:CPUTime]
|
|
interval = 3
|
|
wql = SELECT PercentProcessorTime,PercentUserTime,Name FROM Win32_PerfFormattedData_PerfOS_Processor
|
|
disabled = 1
|
|
|
|
|
|
## Disk
|
|
|
|
## Usually disabled in favor of Perfmon counters
|
|
[WMI:FreeDiskSpace]
|
|
interval = 120
|
|
wql = SELECT Name,FreeMegabytes,PercentFreeSpace FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
|
disabled = 1
|
|
|
|
[WMI:LogicalDisk]
|
|
interval = 120
|
|
wql = SELECT Name,AvgDisksecPerRead,AvgDisksecPerWrite,AvgDisksecPerTransfer,DiskReadsPersec,DiskWritesPersec FROM Win32_PerfFormattedData_PerfDisk_LogicalDisk
|
|
disabled = 1
|
|
|
|
[WMI:LocalPhysicalDisk]
|
|
interval = 10
|
|
wql = SELECT Name, CurrentDiskQueueLength, DiskBytesPerSec, PercentDiskReadTime, PercentDiskWriteTime, PercentDiskTime FROM Win32_PerfFormattedData_PerfDisk_PhysicalDisk
|
|
disabled = 1
|
|
|
|
|
|
## Memory
|
|
## Usually disabled in favor of Perfmon counters
|
|
[WMI:Memory]
|
|
interval = 5
|
|
wql = SELECT PagesPerSec, PagesInputPerSec, PagesOutputPerSec, AvailableBytes, CommittedBytes, PercentCommittedBytesInUse, PoolPagedBytes, PoolNonpagedBytes FROM Win32_PerfFormattedData_PerfOS_Memory
|
|
disabled = 1
|
|
|
|
|
|
## Network
|
|
## Usuall disabled in favor of Perfmon counters
|
|
[WMI:LocalNetwork]
|
|
interval = 10
|
|
wql = SELECT Name, BytesReceivedPerSec, BytesSentPerSec, BytesTotalPerSec, CurrentBandwidth FROM Win32_PerfFormattedData_Tcpip_NetworkInterface
|
|
disabled = 1
|
|
|
|
|
|
## Processes
|
|
[WMI:LocalProcesses]
|
|
interval = 30
|
|
wql = SELECT Name, IDProcess, PrivateBytes, PercentProcessorTime FROM Win32_PerfFormattedData_PerfProc_Process
|
|
disabled = 1
|
|
|
|
|
|
## Scheduled Jobs
|
|
|
|
## Use the Win32_ScheduledJob class. Note that this class can only return jobs that are created using either a script or AT.exe.
|
|
## It cannot return information about jobs that are either created by or modified by the Scheduled Task wizard.
|
|
[WMI:ScheduledJobs]
|
|
disabled = 1
|
|
## Run twice per day
|
|
interval = 43200
|
|
wql = SELECT Caption, Command, Description, InstallDate, InteractWithDesktop, JobId, JobStatus, Name, Notify, Priority, RunRepeatedly, Status FROM Win32_ScheduledJob
|
|
|
|
## Services
|
|
|
|
## http://msdn.microsoft.com/en-us/library/aa394418(VS.85).aspx
|
|
## Lists all services registered on the system,if they are running,and the status
|
|
[WMI:Service]
|
|
disabled = 1
|
|
## Run once an hour
|
|
interval = 3600
|
|
wql = SELECT Name, Caption, State, Status, StartMode, StartName, PathName, Description FROM Win32_Service
|
|
|
|
|
|
## Update
|
|
[WMI:InstalledUpdates]
|
|
disabled = 1
|
|
## Run once per day
|
|
interval = 86400
|
|
wql = SELECT Description, FixComments, HotFixID, InstalledBy, InstalledOn, ServicePackInEffect FROM Win32_QuickFixEngineering
|
|
|
|
|
|
## Uptime
|
|
[WMI:Uptime]
|
|
disabled = 1
|
|
## Run once per day
|
|
interval = 86400
|
|
wql = SELECT SystemUpTime FROM Win32_PerfFormattedData_PerfOS_System
|
|
|
|
|
|
## User Accounts
|
|
[WMI:UserAccounts]
|
|
disabled = 1
|
|
## Run twice per day
|
|
interval = 43200
|
|
wql = SELECT Caption, Description, Domain, InstallDate, LocalAccount, Name, SID, SIDType, Status FROM Win32_Account WHERE LocalAccount = true
|
|
|
|
## Deprecated: The SIDs for local accounts can be retrieved by enabling the WMI:UserAccounts stanza
|
|
## disabled = 1
|
|
## Run twice per day
|
|
## interval = 43200
|
|
## wql = SELECT * FROM Win32_AccountSID
|
|
|
|
|
|
## Version
|
|
[WMI:Version]
|
|
disabled = 1
|
|
## Run once per day
|
|
interval = 86400
|
|
wql = SELECT Caption, ServicePackMajorVersion, ServicePackMinorVersion, Version FROM Win32_OperatingSystem
|