How do I collect data from Windows?

justinfielding · ‎11-09-2011

I have splunk deployed on a debian VM and it seems to be running fine (collects syslog data etc). No problems there.

Now I want to collect info from my windows machines. I installed the universal forwarder on my domain controller using the 'local' context as the remote context failed. This is because on a domain controller there is no such thing as a local account/permission which the 'remote' context install requires. Annoying but collecting data from one server is fine for now - I only have another three windows machines so can install a forwarder on them too.

Splunk is now receiving data from the domain controller but I have two issues:

The data shows up as coming from two different hosts. Performance data shows up coming from 'FRED' whereas event log data shows up from 'fred'.
None of the 'Windows App' reports or searches work because the sources don't match up. For example the performance searches are looking for source="wmi:cpu" but data coming in from the server is tagged with source=Perfmon:CPU Load

It seems data is not being collected in the right way. Where have I gone wrong?

cervelli · ‎11-15-2011

WRT to question 1 : the host issue has to do with how Splunk 'automagically' finds hostnames. In the event log, it's taken directly from the event, because the host is part of the data. (NOT the local host, as event log forwarding could create entries for many hosts on one machine)

In the performance case, there is no host in the raw data. The normal host rules apply. You can force a specific treatment by configuring an explicit host= on the forwarder or a props rule on the indexer.

Ayn · ‎11-14-2011

Part of the reason why you haven't seen any answers is that you added your comments as answers, so your question has been showing as having two answers in the list.

Some mechanisms and sourcetypes have settings that override the hostname. Performance monitoring data might be one of those (I don't have much experience with it myself). Here's some more reading that could be a start for your troubleshooting (it's syslog in the linked question but the same principles apply): http://splunk-base.splunk.com/answers/1124/hostname-changing-on-some-sources
The Windows app unfortunately relies on extractions that were valid for Splunk version 4.1 but not for 4.2. More info: http://blogs.splunk.com/2011/04/20/sssk-1-stuff-splunkers-should-know-perfmon-wmi-collection-in-4-2/ http://splunk-base.splunk.com/answers/31957/splunk-for-windows-app-and-splunk-universal-forwarder

justinfielding · ‎11-14-2011

Thank you for answering. I'll make sure I add any future updates as comments to avoid that in future.

I am seeing the hostname issue with syslog entries too so that should a useful reference (some entries show hostname and some show the IP).

Will read up on the Windows app problem. Thanks for pointing me in the right direction.

justinfielding · ‎11-14-2011

Seriously - I'm not going to get an answer on this? Sadly my evaluation of Splunk is proving a bit of a disappointment.

justinfielding · ‎11-10-2011

Overwhelmed by the response here..

How do I collect data from Windows?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?