https://community.splunk.com/t5/Getting-Data-In/Monitoring-Registry-via-universal-forwarder-not-working/m-p/482853#M82726 <P>Hi, </P> <P>I am trying to monitor a registry key from a remote server using a universal forwarder. No matter what i put in my inputs.conf, i just cannot get it to work. This is my inputs.conf:</P> <P>[WinRegMon://Registry]<BR /> disabled = 0<BR /> hive = HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SOPHOS\AUTOUPDATE\UPDATESTATUS\.*<BR /> proc = .*<BR /> type = set</P> <P>I can see the following error in my splunkd.log:</P> <P>message from ""Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "Program Files\SplunkUniversalForwarder\bin"" splunk-regmon - No enabled entries have been found for regmon or procmon in the conf file.</P> <P>I must be missing something simple! Please help!</P> <P>Many thanks,</P> <P>Michael</P> Wed, 30 Sep 2020 02:12:52 GMT evo1988 2020-09-30T02:12:52Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-Registry-via-universal-forwarder-not-working/m-p/482853#M82726 <P>Hi, </P> <P>I am trying to monitor a registry key from a remote server using a universal forwarder. No matter what i put in my inputs.conf, i just cannot get it to work. This is my inputs.conf:</P> <P>[WinRegMon://Registry]<BR /> disabled = 0<BR /> hive = HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SOPHOS\AUTOUPDATE\UPDATESTATUS\.*<BR /> proc = .*<BR /> type = set</P> <P>I can see the following error in my splunkd.log:</P> <P>message from ""Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" --driver-path "Program Files\SplunkUniversalForwarder\bin"" splunk-regmon - No enabled entries have been found for regmon or procmon in the conf file.</P> <P>I must be missing something simple! Please help!</P> <P>Many thanks,</P> <P>Michael</P> Wed, 30 Sep 2020 02:12:52 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-Registry-via-universal-forwarder-not-working/m-p/482853#M82726 evo1988 2020-09-30T02:12:52Z https://community.splunk.com/t5/Getting-Data-In/Monitoring-Registry-via-universal-forwarder-not-working/m-p/482854#M82727 <P>From inputs.conf:<BR /> If you configure the inputs with Splunk Web, the value of "" matches<BR /> what was specified there. While you can add event log monitor inputs<BR /> manually, it is best practice to use Splunk Web to configure<BR /> Windows registry monitor inputs because it is easy to mistype the values<BR /> for Registry hives and keys.</P> <P>Have you tried installing Splunk on a box that has sophos installed, and drilling down into that particular registry key as an input and then seeing what it wrote for the actual stanza? </P> <P>Here's what I get using some other random key... maybe it'll help you spot anything wrong with your own.</P> <PRE><CODE>[WinRegMon://MyTest] baseline = 0 disabled = 0 hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Mozilla\\NativeMessagingHosts\\com.webex.meeting index = bugger_all proc = C:\\.* type = set </CODE></PRE> <P>Also please use the code button to paste code so that the special characters don't get eaten by the editor.</P> <P>Lastly, I'd not name the stanza "registry". If you want another key later, ... well, then you either have two stanzas named "registry" and "registry2" (lol) or you'll have one named "registry" and another "typicalSpywareKeys", which ... the "registry" one seems a bit out of place then. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 26 Sep 2019 00:50:58 GMT https://community.splunk.com/t5/Getting-Data-In/Monitoring-Registry-via-universal-forwarder-not-working/m-p/482854#M82727 Richfez 2019-09-26T00:50:58Z