Created
August 29, 2019 12:30
-
-
Save akilbekov/4711dd01374996b811f5fb9e1d772f77 to your computer and use it in GitHub Desktop.
Windows inputs and props conf, general
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright (C) 2019 Splunk Inc. All Rights Reserved. | |
###### OS Logs ###### | |
[WinEventLog://Application] | |
disabled = 0 | |
start_from = oldest | |
current_only = 1 | |
checkpointInterval = 5 | |
renderXml=true | |
index = wineventlog | |
[WinEventLog://Security] | |
disabled = 0 | |
start_from = oldest | |
current_only = 1 | |
evt_resolve_ad_obj = 1 | |
checkpointInterval = 5 | |
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)" | |
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)" | |
renderXml=true | |
index = wineventlog | |
[WinEventLog://System] | |
disabled = 0 | |
start_from = oldest | |
current_only = 1 | |
checkpointInterval = 5 | |
renderXml=true | |
index = wineventlog | |
###### Windows Update Log ###### | |
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2 | |
[monitor://$WINDIR\WindowsUpdate.log] | |
disabled = 0 | |
sourcetype = WindowsUpdateLog | |
index = windows | |
###### Scripted Input (See also wmi.conf) | |
[script://.\bin\win_listening_ports.bat] | |
disabled = 0 | |
## Run once per hour | |
interval = 3600 | |
sourcetype = Script:ListeningPorts | |
index = windows | |
[script://.\bin\win_installed_apps.bat] | |
disabled = 0 | |
## Run once per day | |
interval = 86400 | |
sourcetype = Script:InstalledApps | |
index = windows | |
[script://.\bin\win_timesync_status.bat] | |
disabled = 0 | |
## Run once per hour | |
interval = 3600 | |
sourcetype = Script:TimesyncStatus | |
index = windows | |
[script://.\bin\win_timesync_configuration.bat] | |
disabled = 0 | |
## Run once per hour | |
interval = 3600 | |
sourcetype = Script:TimesyncConfiguration | |
index = windows | |
[script://.\bin\netsh_address.bat] | |
disabled = 0 | |
## Run once per day | |
interval = 86400 | |
sourcetype = Script:NetworkConfiguration | |
index = windows | |
###### Host monitoring ###### | |
[WinHostMon://Computer] | |
interval = 600 | |
disabled = 0 | |
type = Computer | |
index = windows | |
[WinHostMon://Process] | |
interval = 600 | |
disabled = 0 | |
type = Process | |
index = windows | |
[WinHostMon://Processor] | |
interval = 600 | |
disabled = 0 | |
type = Processor | |
index = windows | |
[WinHostMon://NetworkAdapter] | |
interval = 600 | |
disabled = 0 | |
type = NetworkAdapter | |
index = windows | |
[WinHostMon://Service] | |
interval = 600 | |
disabled = 0 | |
type = Service | |
index = windows | |
[WinHostMon://OperatingSystem] | |
interval = 600 | |
disabled = 0 | |
type = OperatingSystem | |
index = windows | |
[WinHostMon://Disk] | |
interval = 600 | |
disabled = 0 | |
type = Disk | |
index = windows | |
[WinHostMon://Driver] | |
interval = 600 | |
disabled = 0 | |
type = Driver | |
index = windows | |
[WinHostMon://Roles] | |
interval = 600 | |
disabled = 0 | |
type = Roles | |
index = windows | |
###### Network monitoring ###### | |
[WinNetMon://inbound] | |
direction = inbound | |
disabled = 0 | |
index = windows | |
[WinNetMon://outbound] | |
direction = outbound | |
disabled = 0 | |
index = windows | |
###### Splunk 5.0+ Performance Counters ###### | |
## CPU | |
[perfmon://CPU] | |
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = Processor | |
useEnglishOnly=true | |
index = perfmon | |
## Logical Disk | |
[perfmon://LogicalDisk] | |
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = LogicalDisk | |
useEnglishOnly=true | |
index = perfmon | |
## Physical Disk | |
[perfmon://PhysicalDisk] | |
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = PhysicalDisk | |
useEnglishOnly=true | |
index = perfmon | |
## Memory | |
[perfmon://Memory] | |
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s) | |
disabled = 0 | |
interval = 10 | |
mode = single | |
object = Memory | |
useEnglishOnly=true | |
index = perfmon | |
## Network | |
[perfmon://Network] | |
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = Network Interface | |
useEnglishOnly=true | |
index = perfmon | |
## Process | |
[perfmon://Process] | |
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = Process | |
useEnglishOnly=true | |
index = perfmon | |
## ProcessInformation | |
[perfmon://ProcessorInformation] | |
counters = % Processor Time; Processor Frequency | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = Processor Information | |
useEnglishOnly=true | |
index = perfmon | |
## System | |
[perfmon://System] | |
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use | |
disabled = 0 | |
instances = * | |
interval = 10 | |
mode = single | |
object = System | |
useEnglishOnly=true | |
index = perfmon | |
[WinRegMon://default] | |
disabled = 0 | |
hive = .* | |
proc = .* | |
type = rename|set|delete|create | |
index = windows | |
[WinRegMon://hkcu_run] | |
disabled = 0 | |
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.* | |
proc = .* | |
type = set|create|delete|rename | |
index = windows | |
[WinRegMon://hklm_run] | |
disabled = 0 | |
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.* | |
proc = .* | |
type = set|create|delete|rename | |
index = windows |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[source::WinEventLog:System] | |
SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g | |
[source::WinEventLog:Security] | |
SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g | |
SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g | |
SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/ | |
SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/ | |
SEDCMD-remove_ffff = s/::ffff://g | |
SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g | |
SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g | |
SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment