# MS Windows AD Objects provided pre-defined - Base Windows inputs 
# - Custom Input Settings from the Splunk_TA_windows TA
#
#  --------------------------------------------------------------------------------------- 
#  **** IMPORTANT NOTE: **** 
#     This inputs.conf file needs to be added to the FULL Splunk_TA_windows application
#        - Using Deployment Server: /Splunk/etc/deployment-apps/Splunk_TA_windows/local/ directory.
#		 - Manual/Other: /Splunk/etc/apps/Splunk_TA_windows/local directory
#  --------------------------------------------------------------------------------------- 
#  NOTE: 
#        *** This inputs.conf only contains base Windows pre-defined and enabled inputs.  
#		 They are configured to be leveraged by all windows systems, but can be adjusted as needed.
#		 *** Important: If using the other MS Windows AD Objects TA Example for an AD Domain Controller, 
#		 Splunk_TA_windows_dc, then you will need to have both this TA and the Splunk_TA_windows_dc deployed
#		 to the AD Domain Controller. 
#  Special Notes:
#		 *** Predefined Settings and Changes from the default\inputs.conf: You can adjust these to match your requirements
#			- Index Settings: All of the enabled inputs below have predefined indexes based off of standard
#			- Perfmon.. Inputs:
#				- mode Setting: The mode setting has been set to single, instead of multikv
#       		- interval Setting: The intervals for Perfmon data collection has been adjusted from default of 10, 
#				which is every 10 seconds, to 60, for once a minute.  You can adjust as needed. 
#			- WinEventLogs - renderxml Setting: XML Rendering of the WinEventLogs... is set to false, instead of true.
#			recommendations.
#		 *** Renaming the applications folder, from Splunk_TA_windows:
#			- If you want to use a different name than Splunk_TA_windows then you will need to update script 
#			setting in the following inputs:
#				- [powershell://generate_windows_update_logs]
#				- [monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
#  ---------------------------------------------------------------------------------------				

###### Base OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=idx_eventlog_win

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index=idx_eventlog_win

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index=idx_eventlog_win

###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=false
host=WinEventLogForwardHost
index=idx_eventlog_win

###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index=idx_api_win

## Enable below powershell and monitor stanzas to get WindowsUpdate.log for Windows 10 and Server 2016
## Below stanza will automatically generate WindowsUpdate.log daily
[powershell://generate_windows_update_logs]
script = ."$SplunkHome\etc\apps\Splunk_TA_windows\bin\powershell\generate_windows_update_logs.ps1"
schedule = 0 */24 * * *
disabled = 1
index=idx_api_win

## Below stanza will monitor the generated WindowsUpdate.log in Windows 10 and Server 2016
[monitor://$SPLUNK_HOME\var\log\Splunk_TA_windows\WindowsUpdate.log]
disabled = 1
sourcetype = WindowsUpdateLog
index=idx_api_win

###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index=idx_api_win

[script://.\bin\win_installed_apps.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index=idx_api_win

[script://.\bin\win_timesync_status.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index=idx_api_win

[script://.\bin\win_timesync_configuration.bat]
disabled = 1
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index=idx_api_win

[script://.\bin\netsh_address.bat]
disabled = 1
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index=idx_api_win

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index=idx_api_win

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index=idx_api_win

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index=idx_api_win

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index=idx_api_win

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index=idx_api_win

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index=idx_api_win

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index=idx_api_win

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index=idx_api_win

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index=idx_api_win

###### Print monitoring ######
[WinPrintMon://printer]
type = printer
interval = 600
baseline = 1
disabled = 1
index=idx_api_win

[WinPrintMon://driver]
type = driver
interval = 600
baseline = 1
disabled = 1
index=idx_api_win

[WinPrintMon://port]
type = port
interval = 600
baseline = 1
disabled = 1
index=idx_api_win

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 1
index=idx_api_win

[WinNetMon://outbound]
direction = outbound
disabled = 1
index=idx_api_win

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 60
mode = single
object = Processor
useEnglishOnly=true
index=idx_perfmon_win

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = LogicalDisk
useEnglishOnly=true
index=idx_perfmon_win

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 120
mode = single
object = PhysicalDisk
useEnglishOnly=true
index=idx_perfmon_win

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 60
mode = single
object = Memory
useEnglishOnly=true
index=idx_perfmon_win

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size  
disabled = 0
instances = *
interval = 60
mode = single
object = Network Interface
useEnglishOnly=true
index=idx_perfmon_win

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 60
mode = single
object = Process
useEnglishOnly=true
index=idx_perfmon_win

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 60
mode = single
object = Processor Information
useEnglishOnly=true
index=idx_perfmon_win

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 60
mode = single
object = System
useEnglishOnly=true
index=idx_perfmon_win

## Windows Registry
[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index=idx_api_win

[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index=idx_api_win

[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index=idx_api_win