Windows inputs
Splunk can accept data from a variety of Windows sources:
- Windows Event Logs – Splunk can monitor logs generated by the Windows event log service on a local or remote Windows machine.
- Performance monitoring – all performance counters that are available in Performance Monitor are also available to Splunk.
- Remote monitoring over WMI – Splunk can use WMI to access log and performance data on remote machines. WMI (Windows Management Instrumentation) allows management information to be shared between management applications.
- Registry monitoring – Splunk can monitor changes to the local Windows Registry using the Registry monitoring capability. You can also use a universal forwarder to gather Registry data from remote Windows machines.
- Active Directory monitoring – Splunk can audit any modifications to Active Directory, including changes to user, group, machine, and group policy objects.
The most efficient way to gather data from any remote Windows machine is to install universal forwarders on the remote hosts. A universal forwarder is a dedicated, lightweight version of Splunk that contains only the essential components needed to send data.