akilbekov/input.conf

## input.conf
# Copyright (C) 2019 Splunk Inc. All Rights Reserved.

###### OS Logs ######
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
renderXml=true
index = wineventlog

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk\-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi|optimize))\.exe)"
renderXml=true
index = wineventlog

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
renderXml=true
index = wineventlog

###### Windows Update Log ######
## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog
index = windows

###### Scripted Input (See also wmi.conf)
[script://.\bin\win_listening_ports.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:ListeningPorts
index = windows

[script://.\bin\win_installed_apps.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:InstalledApps
index = windows

[script://.\bin\win_timesync_status.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncStatus
index = windows

[script://.\bin\win_timesync_configuration.bat]
disabled = 0
## Run once per hour
interval = 3600
sourcetype = Script:TimesyncConfiguration
index = windows

[script://.\bin\netsh_address.bat]
disabled = 0
## Run once per day
interval = 86400
sourcetype = Script:NetworkConfiguration
index = windows

###### Host monitoring ######
[WinHostMon://Computer]
interval = 600
disabled = 0
type = Computer
index = windows

[WinHostMon://Process]
interval = 600
disabled = 0
type = Process
index = windows

[WinHostMon://Processor]
interval = 600
disabled = 0
type = Processor
index = windows

[WinHostMon://NetworkAdapter]
interval = 600
disabled = 0
type = NetworkAdapter
index = windows

[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
index = windows

[WinHostMon://OperatingSystem]
interval = 600
disabled = 0
type = OperatingSystem
index = windows

[WinHostMon://Disk]
interval = 600
disabled = 0
type = Disk
index = windows

[WinHostMon://Driver]
interval = 600
disabled = 0
type = Driver
index = windows

[WinHostMon://Roles]
interval = 600
disabled = 0
type = Roles
index = windows

###### Network monitoring ######
[WinNetMon://inbound]
direction = inbound
disabled = 0
index = windows

[WinNetMon://outbound]
direction = outbound
disabled = 0
index = windows

###### Splunk 5.0+ Performance Counters ######
## CPU
[perfmon://CPU]
counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
disabled = 0
instances = *
interval = 10
mode = single
object = Processor
useEnglishOnly=true
index = perfmon

## Logical Disk
[perfmon://LogicalDisk]
counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = LogicalDisk
useEnglishOnly=true
index = perfmon

## Physical Disk
[perfmon://PhysicalDisk]
counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
disabled = 0
instances = *
interval = 10
mode = single
object = PhysicalDisk
useEnglishOnly=true
index = perfmon

## Memory
[perfmon://Memory]
counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
disabled = 0
interval = 10
mode = single
object = Memory
useEnglishOnly=true
index = perfmon

## Network
[perfmon://Network]
counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
disabled = 0
instances = *
interval = 10
mode = single
object = Network Interface
useEnglishOnly=true
index = perfmon

## Process
[perfmon://Process]
counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
disabled = 0
instances = *
interval = 10
mode = single
object = Process
useEnglishOnly=true
index = perfmon

## ProcessInformation
[perfmon://ProcessorInformation]
counters = % Processor Time; Processor Frequency
disabled = 0
instances = *
interval = 10
mode = single
object = Processor Information
useEnglishOnly=true
index = perfmon

## System
[perfmon://System]
counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
disabled = 0
instances = *
interval = 10
mode = single
object = System
useEnglishOnly=true
index = perfmon

[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

[WinRegMon://hkcu_run]
disabled = 0
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 0
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

## props.conf
[source::WinEventLog:System]
SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

[source::WinEventLog:Security]
SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
SEDCMD-cleansrcip = s/(Source Network Address:    (\:\:1|127\.0\.0\.1))/Source Network Address:/
SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
SEDCMD-remove_ffff = s/::ffff://g
SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
	# Copyright (C) 2019 Splunk Inc. All Rights Reserved.

	###### OS Logs ######
	[WinEventLog://Application]
	disabled = 0
	start_from = oldest
	current_only = 1
	checkpointInterval = 5
	renderXml=true
	index = wineventlog

	[WinEventLog://Security]
	disabled = 0
	start_from = oldest
	current_only = 1
	evt_resolve_ad_obj = 1
	checkpointInterval = 5
	blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
	blacklist3 = EventCode="4688" Message="New Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	blacklist4 = EventCode="4689" Message="Process Name:\s*(?i)(?:[C-F]:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool\|splunkd\|splunk\|splunk\-(?:MonitorNoHandle\|admon\|netmon\|perfmon\|powershell\|regmon\|winevtlog\|winhostinfo\|winprintmon\|wmi\|optimize))\.exe)"
	renderXml=true
	index = wineventlog

	[WinEventLog://System]
	disabled = 0
	start_from = oldest
	current_only = 1
	checkpointInterval = 5
	renderXml=true
	index = wineventlog

	###### Windows Update Log ######
	## Enable below stanza to get WindowsUpdate.log for Windows 8, Windows 8.1, Server 2008R2, Server 2012 and Server 2012R2
	[monitor://$WINDIR\WindowsUpdate.log]
	disabled = 0
	sourcetype = WindowsUpdateLog
	index = windows

	###### Scripted Input (See also wmi.conf)
	[script://.\bin\win_listening_ports.bat]
	disabled = 0
	## Run once per hour
	interval = 3600
	sourcetype = Script:ListeningPorts
	index = windows

	[script://.\bin\win_installed_apps.bat]
	disabled = 0
	## Run once per day
	interval = 86400
	sourcetype = Script:InstalledApps
	index = windows

	[script://.\bin\win_timesync_status.bat]
	disabled = 0
	## Run once per hour
	interval = 3600
	sourcetype = Script:TimesyncStatus
	index = windows

	[script://.\bin\win_timesync_configuration.bat]
	disabled = 0
	## Run once per hour
	interval = 3600
	sourcetype = Script:TimesyncConfiguration
	index = windows

	[script://.\bin\netsh_address.bat]
	disabled = 0
	## Run once per day
	interval = 86400
	sourcetype = Script:NetworkConfiguration
	index = windows

	###### Host monitoring ######
	[WinHostMon://Computer]
	interval = 600
	disabled = 0
	type = Computer
	index = windows

	[WinHostMon://Process]
	interval = 600
	disabled = 0
	type = Process
	index = windows

	[WinHostMon://Processor]
	interval = 600
	disabled = 0
	type = Processor
	index = windows

	[WinHostMon://NetworkAdapter]
	interval = 600
	disabled = 0
	type = NetworkAdapter
	index = windows

	[WinHostMon://Service]
	interval = 600
	disabled = 0
	type = Service
	index = windows

	[WinHostMon://OperatingSystem]
	interval = 600
	disabled = 0
	type = OperatingSystem
	index = windows

	[WinHostMon://Disk]
	interval = 600
	disabled = 0
	type = Disk
	index = windows

	[WinHostMon://Driver]
	interval = 600
	disabled = 0
	type = Driver
	index = windows

	[WinHostMon://Roles]
	interval = 600
	disabled = 0
	type = Roles
	index = windows

	###### Network monitoring ######
	[WinNetMon://inbound]
	direction = inbound
	disabled = 0
	index = windows

	[WinNetMon://outbound]
	direction = outbound
	disabled = 0
	index = windows

	###### Splunk 5.0+ Performance Counters ######
	## CPU
	[perfmon://CPU]
	counters = % Processor Time; % User Time; % Privileged Time; Interrupts/sec; % DPC Time; % Interrupt Time; DPCs Queued/sec; DPC Rate; % Idle Time; % C1 Time; % C2 Time; % C3 Time; C1 Transitions/sec; C2 Transitions/sec; C3 Transitions/sec
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = Processor
	useEnglishOnly=true
	index = perfmon

	## Logical Disk
	[perfmon://LogicalDisk]
	counters = % Free Space; Free Megabytes; Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = LogicalDisk
	useEnglishOnly=true
	index = perfmon

	## Physical Disk
	[perfmon://PhysicalDisk]
	counters = Current Disk Queue Length; % Disk Time; Avg. Disk Queue Length; % Disk Read Time; Avg. Disk Read Queue Length; % Disk Write Time; Avg. Disk Write Queue Length; Avg. Disk sec/Transfer; Avg. Disk sec/Read; Avg. Disk sec/Write; Disk Transfers/sec; Disk Reads/sec; Disk Writes/sec; Disk Bytes/sec; Disk Read Bytes/sec; Disk Write Bytes/sec; Avg. Disk Bytes/Transfer; Avg. Disk Bytes/Read; Avg. Disk Bytes/Write; % Idle Time; Split IO/Sec
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = PhysicalDisk
	useEnglishOnly=true
	index = perfmon

	## Memory
	[perfmon://Memory]
	counters = Page Faults/sec; Available Bytes; Committed Bytes; Commit Limit; Write Copies/sec; Transition Faults/sec; Cache Faults/sec; Demand Zero Faults/sec; Pages/sec; Pages Input/sec; Page Reads/sec; Pages Output/sec; Pool Paged Bytes; Pool Nonpaged Bytes; Page Writes/sec; Pool Paged Allocs; Pool Nonpaged Allocs; Free System Page Table Entries; Cache Bytes; Cache Bytes Peak; Pool Paged Resident Bytes; System Code Total Bytes; System Code Resident Bytes; System Driver Total Bytes; System Driver Resident Bytes; System Cache Resident Bytes; % Committed Bytes In Use; Available KBytes; Available MBytes; Transition Pages RePurposed/sec; Free & Zero Page List Bytes; Modified Page List Bytes; Standby Cache Reserve Bytes; Standby Cache Normal Priority Bytes; Standby Cache Core Bytes; Long-Term Average Standby Cache Lifetime (s)
	disabled = 0
	interval = 10
	mode = single
	object = Memory
	useEnglishOnly=true
	index = perfmon

	## Network
	[perfmon://Network]
	counters = Bytes Total/sec; Packets/sec; Packets Received/sec; Packets Sent/sec; Current Bandwidth; Bytes Received/sec; Packets Received Unicast/sec; Packets Received Non-Unicast/sec; Packets Received Discarded; Packets Received Errors; Packets Received Unknown; Bytes Sent/sec; Packets Sent Unicast/sec; Packets Sent Non-Unicast/sec; Packets Outbound Discarded; Packets Outbound Errors; Output Queue Length; Offloaded Connections; TCP Active RSC Connections; TCP RSC Coalesced Packets/sec; TCP RSC Exceptions/sec; TCP RSC Average Packet Size
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = Network Interface
	useEnglishOnly=true
	index = perfmon

	## Process
	[perfmon://Process]
	counters = % Processor Time; % User Time; % Privileged Time; Virtual Bytes Peak; Virtual Bytes; Page Faults/sec; Working Set Peak; Working Set; Page File Bytes Peak; Page File Bytes; Private Bytes; Thread Count; Priority Base; Elapsed Time; ID Process; Creating Process ID; Pool Paged Bytes; Pool Nonpaged Bytes; Handle Count; IO Read Operations/sec; IO Write Operations/sec; IO Data Operations/sec; IO Other Operations/sec; IO Read Bytes/sec; IO Write Bytes/sec; IO Data Bytes/sec; IO Other Bytes/sec; Working Set - Private
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = Process
	useEnglishOnly=true
	index = perfmon

	## ProcessInformation
	[perfmon://ProcessorInformation]
	counters = % Processor Time; Processor Frequency
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = Processor Information
	useEnglishOnly=true
	index = perfmon

	## System
	[perfmon://System]
	counters = File Read Operations/sec; File Write Operations/sec; File Control Operations/sec; File Read Bytes/sec; File Write Bytes/sec; File Control Bytes/sec; Context Switches/sec; System Calls/sec; File Data Operations/sec; System Up Time; Processor Queue Length; Processes; Threads; Alignment Fixups/sec; Exception Dispatches/sec; Floating Emulations/sec; % Registry Quota In Use
	disabled = 0
	instances = *
	interval = 10
	mode = single
	object = System
	useEnglishOnly=true
	index = perfmon

	[WinRegMon://default]
	disabled = 0
	hive = .*
	proc = .*
	type = rename\|set\|delete\|create
	index = windows

	[WinRegMon://hkcu_run]
	disabled = 0
	hive = \\REGISTRY\\USER\\.\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.
	proc = .*
	type = set\|create\|delete\|rename
	index = windows

	[WinRegMon://hklm_run]
	disabled = 0
	hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
	proc = .*
	type = set\|create\|delete\|rename
	index = windows
	[source::WinEventLog:System]
	SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g

	[source::WinEventLog:Security]
	SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
	SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
	SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1\|127\.0\.0\.1))/Source Network Address:/
	SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
	SEDCMD-remove_ffff = s/::ffff://g
	SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
	SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
	SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g