To learn how to use a universal forwarder, see The universal forwarder in the Splunk Universal Forwarder Forwarder Manual.Įnable local Windows performance monitoring To learn more about WMI security, see Security and remote access considerations in the Monitor data through Windows Management Instrument (WMI) topic. Performance Monitor Users (domain group).You cannot install Splunk Enterprise as the LocalSystem user, and the user that you choose determines what Performance Monitor objects Splunk Enterprise can read.Īfter you install Splunk Enterprise with a valid user, you must add that user to the following groups before you enable local performance monitor inputs: If you want Splunk Enterprise to use WMI to get performance data from remote machines, then you must configure both Splunk Enterprise and your Windows network. The LocalSystem user has access to all data on the local machine, but not to remote computers. If you install forwarders on your remote Windows machines to collect performance data, then you can install the forwarder as the LocalSystem user on those machines. Splunk Enterprise gets data from remote machines with either a forwarder or WMI. Where possible, use a universal forwarder to send performance data from remote machines to the Splunk platform or Splunk Enterprise indexer. Security and remote access considerations * The forwarder must run as a domain or remote user with appropriate access to the Performance Data Helper libraries on the target machine. * The forwarder must run as a domain or remote user with at least read access to WMI on the target machine. Monitor remote performance metrics on another computer over WMI Choose the Windows user Splunk Enterprise should run as in the Splunk Enterprise Installation Manual. * The forwarder must run as the LocalSystem Windows user. See Install on Windows in the Splunk Enterprise Installation Manual. * The Splunk platform instance must receive performance data from a forwarder. You might have additional requirements based on the performance objects or counters that you want to monitor.įor additional information on performance metrics monitoring requirements, see Security and remote access considerations later in this topic. The following table lists the minimum requirements you need to monitor performance counters in Windows. What you need to monitor performance counters Properly analyzing that data can mean the difference between a healthy, well-functioning machine, and one that suffers downtime. Windows generates a lot of data about machine health. Performance monitoring is an important part of the Windows administrator toolkit. You use the wmi.conf configuration file to get performance data from a remote machine.You use the nf configuration file to get local performance data.The file that you use to configure the input depends on whether you want to get performance data from a local instance or from a remote instance: The performance monitor input uses two files for configuration. You can configure performance monitoring either with Splunk Web or by using configuration files. The process runs once for every input you define, at the interval you specify in the input. On Splunk Enterprise and the universal forwarder, the performance monitor input runs as a process called splunk-perfmon.exe. Remote performance monitoring is available through Windows Management Instrumentation (WMI) and requires that the Splunk platform instance on the Windows machine runs as a user with appropriate Active Directory credentials. Both full instances of Splunk Enterprise and universal forwarders can collect local performance metrics. To get Windows performance monitor data in, you must run either a Splunk Enterprise heavy forwarder or universal forwarder on the Windows machine from which you want to collect the performance metrics, and then forward that data to the Splunk platform instance. For information on performance monitoring, search the Microsoft documentation website for "Performance Counters". Both Microsoft and third-party vendors provide libraries that contain performance counters. The types of performance objects, counters, and instances that are available to the platform depend on the performance libraries that are on the machine. The Splunk platform uses the Windows Performance Data Helper (PDH) API for performance counter queries on local Windows machines. The performance monitoring input gives you access to the Performance Monitor in a web interface. Supports the monitoring of all Windows performance counters in real time, which includes support for both local and remote collection of performance data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |