Is there a way I can use Splunk to log Windows application usage?
I need to be able to see what applications were launched during a users session.
You can enable process tracking via Group Policy (local or domain based).
http://technet.microsoft.com/en-us/library/cc775520(v=ws.10).aspx
Once enabled an event is logged to the Windows Security Event Log when a process is started/terminated. However, be aware that process tracking does generate a lot of events!
Exactly what I needed. Thanks very much.
So far I've discovered that this isn't a standard piece of information that gets copied into the Windows Event Log. At the moment we're thinking that we might need to write a piece of code which will drop that information into the event log.
There's an article at http://www.codeproject.com/Articles/2018/Detecting-Windows-NT-2K-process-execution which explains some of the background of running a callback function each time a process is created or destroyed.