topic Re: Splunk Windows Registry Monitor not showing any events in Getting Data In

Splunk Windows Registry Monitor not showing any events

Zyon — Mon, 28 Sep 2020 14:41:49 GMT

Hey,

I want to monitor the changes in my Windows Registry. I have did the needed procedures and steps however the index i use for my Windows Registry is always empty whenever i do the following command.

index="Registry"

The steps i did was firstly, to add registry data into Splunk
Home->Add data->Windows Registry->Collect Windows Registry data on this Splunk Server

Next, i clicked on new and filled in the following information:
Collection Name: Registry
Registry Hive: HKEY_LOCAL_MACHINE\?.*
Baseline: Yes
Index: Registry

This is what is in my inputs.conf

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0
interval = 60
sourcetype = WinRegistry
source = WinRegistry

May i ask if i missed out any steps? And why my Registry Index is empty?
Thanks a lot! (:

Re: Splunk Windows Registry Monitor not showing any events

alanfinlay — Tue, 03 Sep 2013 04:56:53 GMT

Hi Zyon,

Can you check that the splunk-regmon.exe process is running, if not then try restarting splunk? As per this snippet from the docs:

Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.

Did you check the permissions as per the docs:

Required permissions:
Monitor the Registry * Splunk must run on Windows
AND
* Splunk must run as either the local system user
OR
* Splunk must run as a domain user with read access to the Registry hives or keys that you want to monitor

Re: Splunk Windows Registry Monitor not showing any events

janlovessplunk — Wed, 30 Sep 2020 05:05:56 GMT

Here is a method to monitor registry changes on WIndows 10 Pro on a host that is remote to Splunk.
In this particular case I am interested to get an event when a memory stick is inserter to the host.
1) Install Universal Forwarder on the remote host and configure it to forward events to Splunk

2) Download Splunk Add-on for Microsoft Windows:
https://splunkbase.splunk.com/app/742/#/details

3) Unzip and untar its directory. Move Ad-On directory to the Universal Forwarder on the remote host. In my case to the directory:
C:\Program Files\SplunkUniversalForwarder\etc\apps

4) From: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default
copy app.conf and inputs.conf
to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

5) Clear content of \local copies on app.conf and inputs.conf

6) Add in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf
[WinRegMon://hklm_USB]
disabled = 0
hive = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\.*
proc = .*
type = set|create|delete|rename

Restart the Universal Forwarder. Insert a USB to your Windows 10. You should get an event on your Splunk.

I hope this helps.