Microsoft Windows

How to get Windows data into your Splunk deployment

Windows data you can collect

Link to supporting documentation

Event Logs

Monitor Windows event log data with Splunk Enterprise

File system changes

Monitor file system changes on Windows

Active Directory

Monitor Active Directory

Data through the Windows Management Instrumentation (WMI) infrastructure

Monitor data through Windows Management Instrumentation (WMI)

Registry data

Monitor Windows Registry data

Performance metrics

Monitor Windows performance

Host information

Monitor Windows host information

Print information

Monitor Windows printer information

Network information

Monitor Windows network information

Powershell

Monitor Windows data with PowerShell scripts

How to Use PowerShell Transcription Logs in Splunk

#Monitor PowerShell transcript logs
[monitor://C:\pstrans\*\*.txt]
sourcetype = powershell:transcript
index = powershell
disabled = 0
multiline_event_extra_waittime = true
time_before_close = 300

#Monitor PowerShell Windows Event Logs
[WinEventLog://Microsoft-Windows-PowerShell/Operational]
disabled = 0
renderXml = 1
index = powershell
source = XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype = XmlWinEventLog

[WinEventLog://Windows PowerShell]
disabled = 0
index=wineventlog

PreviousMicrosoft Azure NextIntegration Netflow with Splunk

Last updated 6 hours ago