Getting Data In

Sample Windows Data for Input.conf

redsox07928
Path Finder

Does anyone have a sample inputs.conf for capturing Windows data such as CPU utilization, memory utilization and disk utilization?  Just looking for the basics.  I could not find any good baseline samples.

Thank you very much!

Labels (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The default inputs.conf in the UF already contains Windows perfmon inputs.  You just have to enable the inputs you want.

---
If this reply helps you, Karma would be appreciated.
0 Karma

redsox07928
Path Finder

I extracted the file which is great.   Maybe I am missing the Windows perfmon inputs in the default inputs.conf.  

 

# Version 8.2.1
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.


[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[blacklist:$SPLUNK_HOME/etc/auth]

[blacklist:$SPLUNK_HOME/etc/passwd]

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/var/log/watchdog/watchdog.log*]
index = _internal

[monitor://$SPLUNK_HOME/var/log/splunk/license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt = <SOURCE>

[batch://$SPLUNK_HOME/var/spool/splunk/tracker.log*]
index = _internal
sourcetype = splunkd_latency_tracker
move_policy = sinkhole

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt = <SOURCE>
time_before_close = 0

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_hec]
sourcetype = stash_hec
move_policy = sinkhole
crcSalt = <SOURCE>

[fschange:$SPLUNK_HOME/etc]
disabled = false
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
# DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
# AES256-SHA:AES128-SHA

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

allowSslRenegotiation = true
sslQuietShutdown = false

0 Karma

redsox07928
Path Finder

Any chance you could post the stanza?  That would be much appreciated. 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Was this inputs.conf from server or UF? Based on it’s content I suppose from Linux server?

redsox07928
Path Finder

I downloaded  the tgz for the UCF.   I tried to extract the inputs.conf file but it returned that the inputs.conf file was not present.   I then downloaded the splunk tgz and got that inputs.conf file from it.

Yes one responder was stating that I should extract the inputs.conf from the tgz which is not used for Windows, it's Linux.   

I see where you are going in that why would the Linux inputs.conf file have windows perfmon stats.  Now I see that the tgz approach was not practical.  

I was just hoping to get a sample stanza that captured Windows perform stats. That's was and still is my goal.  

0 Karma

isoutamo
SplunkTrust
SplunkTrust
The best approach will be get MS package and install it to any temporary workstation where you have admin access. Then you could see that inputs.conf there and copy needed part from it.
Another option is just check those stanzas from here https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/Inputsconf
There are those options for windows.
r. Ismo
0 Karma

redsox07928
Path Finder

As I said, in one of the replies here, I do not have admin rights.    I did look at that spec as well. 

 

Someone said that the inputs.conf file in the install comes with samples and they just need to be enabled.  The spec definitely does not have that.  

 

I was just hoping someone could paste the sample stanza.    Seems like a simple option.  

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Yes, I read that you haven't admin access to that server, but I'm thinking if you have option to install/use any temporary virtual machine for testing etc.

Here is $SPLUNK_HOME\etc\system\default\inputs.conf from one windows workstation. 

#   Version 8.0.6
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local  
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.


[default]
index         = default
_rcvbuf        = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[blacklist:$SPLUNK_HOME\etc\auth]

[blacklist:$SPLUNK_HOME\etc\passwd]

[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*]
index = _internal

[monitor://$SPLUNK_HOME\var\log\splunk\license_usage_summary.log]
index = _telemetry

[monitor://$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log*]
index = _telemetry
sourcetype = splunk_cloud_telemetry

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\run\splunk\search_telemetry\*search_telemetry.json]
move_policy = sinkhole
index = _introspection
sourcetype = search_telemetry
crcSalt = <SOURCE>
log_on_completion = 0

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt = <SOURCE>

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_new]
queue       = stashparsing
sourcetype  = stash_new
move_policy = sinkhole
crcSalt     = <SOURCE>

[fschange:$SPLUNK_HOME\etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = false

[SSL]
# SSL settings
# The following provides modern TLS configuration that guarantees forward-
# secrecy and efficiency. This configuration drops support for old Splunk
# versions (Splunk 5.x and earlier).
# To add support for Splunk 5.x set sslVersions to tls and add this to the
# end of cipherSuite:
#     DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA
# and this, in case Diffie Hellman is not configured:
#     AES256-SHA:AES128-SHA

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

allowSslRenegotiation = true
sslQuietShutdown = false


[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

# default single instance modular input restarts

[admon]
interval=60
baseline=0

[MonitorNoHandle]
interval=60

[WinEventLog]
interval=60
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=

[WinNetMon]
interval=60

[WinPrintMon]
interval=60

[WinRegMon]
interval=60
baseline=0

[perfmon]
interval=300

[powershell]
interval=60

[powershell2]
interval=60


As it's from 8.0.6 version it could be little bit different than 8.2.1, so you must check from documentation if there are still something weird.

r. Ismo

0 Karma

redsox07928
Path Finder

Thank you.   So the OOTB inputs.conf really does not have the basic perfmon stuff I was looking for.   Thank you for posting that and putting that to bed.  

 

My search continues!!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's not much to it.

[perfmon]
interval=300
---
If this reply helps you, Karma would be appreciated.

redsox07928
Path Finder

Oh I thought it actually had sample counters.  I was hoping to use it as a jumping off point.  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Interesting.  It looks like that file changed recently because my 8.1.2 file has a [perfmon] stanza, but yours doesn't.

---
If this reply helps you, Karma would be appreciated.
0 Karma

redsox07928
Path Finder

Any chance you have a copy?  I inherited this environment and don't have any place to install a universal forwarder.  All the inputs.conf have been "cleaned".

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't need to install the UF to get the file.  Just download the .tgz file from splunk.com and extract the file from it.

Also, one should not change .conf files in default directories.  Any "cleaning" should be done in the local directory.

---
If this reply helps you, Karma would be appreciated.

redsox07928
Path Finder

maybe I am just clueless but I could not extract the file

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.  Replace splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz with the name of your tarball.  It will create a splunk/etc/system/default filepath in the current directory so be careful where you run it.

tar -zxf splunk-8.1.0-8c3d4d4c1386-Linux-x86_64.tgz  splunk/etc/system/default/inputs.conf

 

---
If this reply helps you, Karma would be appreciated.

redsox07928
Path Finder

I am on Windows so I don't even get a tar ball and I don't have admin rights anywhere to even run an install.   And I checked out the inputs.conf in the default directory and my predecessors did modify them!!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

I'm afraid that without Admin rights you couldn't fix the situation/install UF to windows. You need to find someone who can do it and after that you you could use deployment server to modify needed configurations to get files and events into splunk. Here is instructions how to install UF to Windows client. https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/InstallaWindowsuniversalforwarderfro...

Personally I prefer to create separate app/TA for deployment server configuration than give that information within UF installation. Just pure UF installation w/o DS parameters then add this TA/app for connect to DS and all needed configurations from DS than updating those locally in UF.

r. Ismo

richgalloway
SplunkTrust
SplunkTrust

If you have access to splunk.com then you have access to a tarball.  Download the appropriate version and use 7-zip to extract the file.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...