IT & IoT Security | Cloud | It's all about the life itself

Nothing in life is as important as you think it is, while you are thinking about it.

Sample stanzas for Windows

Here is a customized sample universal forwarder inputs.conf file stanzas.

C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\inputs.conf

You can also add new file(s) to monitor.



[WinEventLog://Application]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

[WinEventLog://Security]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

[WinEventLog://System]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

[WinEventLog://ForwardedEvents]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = wineventlog

[admon://NearestDC]
monitorSubtree = 1
index = msad

[perfmon://CPU Load]
counters = % Processor Time;% User Time
instances = _Total
interval = 10
object = Processor
index = perfmon

[perfmon://Available Memory]
counters = Available Bytes
interval = 10
object = Memory
index = perfmon

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = _Total
interval = 3600
object = LogicalDisk
index = perfmon

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
interval = 10
object = Network Interface
index = perfmon

[monitor://C:\Log\filelog.csv]
disabled = false
index = csvmonitor

[WinEventLog://DNS Server]
disabled = 0
index = dns
[WinEventLog://Directory Service]
disabled = 0
index = msad
[WinEventLog://File Replication Service]
disabled = 0
index = msad

[WinNetMon://splunkdc01]
disabled = 0
index = windows

# Queries computer information.
[WinHostMon://computer]
type = Computer
interval = 300
index = windowshost
# Queries OS information. 
# 'interval' set to a negative number tells Splunk Enterprise to
# run the input once only. 
[WinHostMon://os]
type = operatingSystem
interval = 300
index = windowshost

# Queries processor information.
[WinHostMon://processor]
type = processor
interval = 300
index = windowshost

# Queries hard disk information.
[WinHostMon://disk]
type = disk
interval = 300
index = windowshost

# Queries network adapter information.
[WinHostMon://network]
type = networkAdapter
interval = 300
index = windowshost

# Queries service information.
# This example runs the input ever 5 minutes.
[WinHostMon://service]
type = service
interval = 300
index = windowshost

# Queries information on running processes.
# This example runs the input every 5 minutes.
[WinHostMon://process]
type = process
interval = 300 
index = windowshost