https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29178#M6816 <P>Hello,</P> <P>I am trying to monitor the registry of remote forwarders. I have the following in my regmon.conf</P> <PRE><CODE>[default] disabled = 0 baseline = 0 #30 days #baseline_interval = 2592000 # Monitor all registry keys under the HKEY_CURRENT_USER Registry hive for # "set," "create," "delete," and "rename" events created by all processes. # Store the events in the "regmon" splunk index [USBSTOR] proc = .* hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR type = set|create|delete|rename index = default baseline = 0 disabled = 0 [USB] proc = .* hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USB type = set|create|delete|rename index = default baseline = 0 disabled = 0 </CODE></PRE> <P>I am trying to monitor when a USB device is plugged in. I am using deployment server to deploy this as an app, I see it show up in deployment-client, &amp; I see the keys showing in the reg input on the forwarder... I then walk to the device, plug in a USB flash drive, watch the registry change, but no events ever show up!</P> <P>Can anyone see anything I am doing wrong?</P> <P>Thanks for your help.</P> <P>Kevin</P> Fri, 09 Nov 2012 16:28:20 GMT kholleran 2012-11-09T16:28:20Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29178#M6816 <P>Hello,</P> <P>I am trying to monitor the registry of remote forwarders. I have the following in my regmon.conf</P> <PRE><CODE>[default] disabled = 0 baseline = 0 #30 days #baseline_interval = 2592000 # Monitor all registry keys under the HKEY_CURRENT_USER Registry hive for # "set," "create," "delete," and "rename" events created by all processes. # Store the events in the "regmon" splunk index [USBSTOR] proc = .* hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR type = set|create|delete|rename index = default baseline = 0 disabled = 0 [USB] proc = .* hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USB type = set|create|delete|rename index = default baseline = 0 disabled = 0 </CODE></PRE> <P>I am trying to monitor when a USB device is plugged in. I am using deployment server to deploy this as an app, I see it show up in deployment-client, &amp; I see the keys showing in the reg input on the forwarder... I then walk to the device, plug in a USB flash drive, watch the registry change, but no events ever show up!</P> <P>Can anyone see anything I am doing wrong?</P> <P>Thanks for your help.</P> <P>Kevin</P> Fri, 09 Nov 2012 16:28:20 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29178#M6816 kholleran 2012-11-09T16:28:20Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29179#M6817 <P>I see the following in Splunkd.log:</P> <P>splunk-regmon - WinRegistryMonitor::configure: Failed to get configuration settings: 'Regex: PCRE does not support \L, \l, \N{name}, \U, or \u'</P> Tue, 13 Nov 2012 16:11:21 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29179#M6817 kholleran 2012-11-13T16:11:21Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29180#M6818 <P>I am thinking I need to double-slash to escape. Did this &amp; now I have no errors, but made a change in the registry and nothing is coming across....</P> Tue, 13 Nov 2012 16:49:14 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29180#M6818 kholleran 2012-11-13T16:49:14Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29181#M6819 <P>Has anyone done anything like this? I want to alert when a new USB device is plugged in.... </P> <P>Thanks.</P> Wed, 14 Nov 2012 16:01:59 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29181#M6819 kholleran 2012-11-14T16:01:59Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29182#M6820 <P>Someone help!!!! I need to get this to work by tomorrow morning!!! I cannot understand why this is not working!!!</P> Wed, 14 Nov 2012 21:02:15 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29182#M6820 kholleran 2012-11-14T21:02:15Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29183#M6821 <P>AHHHHH!!!! Fixed... the index line was incorrect as that is not the index I want it going to so that was messing it up.</P> Wed, 14 Nov 2012 23:15:35 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29183#M6821 kholleran 2012-11-14T23:15:35Z https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29184#M6822 <P>I realize this post is old, but do you recall what the index line should read or reference to? Thanks in advance for any help.</P> Thu, 06 Nov 2014 16:36:19 GMT https://community.splunk.com/t5/Monitoring-Splunk/Registry-Monitoring-returning-no-events/m-p/29184#M6822 r0otux 2014-11-06T16:36:19Z