https://community.splunk.com/t5/Splunk-Search/Trying-to-monitor-HKLM-SYSTEM-CurrentControlSet-Enum-USBSTOR-but/m-p/98756#M182632 <P>The following set up was used in regmon-filters.conf:</P> <PRE><CODE>[WinRegistry] proc = C:\\.* baseline = 0 disabled = 0 hive = HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\?.* index = default type = rename|close|set|delete|open|create|query </CODE></PRE> <P>When adding a USB drive, I see nothing being reported on. What is going on?</P> Thu, 24 Jan 2013 17:02:53 GMT bosburn_splunk 2013-01-24T17:02:53Z https://community.splunk.com/t5/Splunk-Search/Trying-to-monitor-HKLM-SYSTEM-CurrentControlSet-Enum-USBSTOR-but/m-p/98756#M182632 <P>The following set up was used in regmon-filters.conf:</P> <PRE><CODE>[WinRegistry] proc = C:\\.* baseline = 0 disabled = 0 hive = HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\?.* index = default type = rename|close|set|delete|open|create|query </CODE></PRE> <P>When adding a USB drive, I see nothing being reported on. What is going on?</P> Thu, 24 Jan 2013 17:02:53 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-monitor-HKLM-SYSTEM-CurrentControlSet-Enum-USBSTOR-but/m-p/98756#M182632 bosburn_splunk 2013-01-24T17:02:53Z https://community.splunk.com/t5/Splunk-Search/Trying-to-monitor-HKLM-SYSTEM-CurrentControlSet-Enum-USBSTOR-but/m-p/98757#M182633 <P>This is a known issue - SPL-58682 - with Splunk monitoring the Current Control Set for this section. The work around is to use the following setting for hive:</P> <PRE><CODE>hive = HKEY_LOCAL_MACHINE\\SYSTEM\\*CONTROLSET*\\ENUM\\USBSTOR?.* </CODE></PRE> <P>This will monitor all control sets for changes for that path.</P> <P>Brian</P> Thu, 24 Jan 2013 17:04:57 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-monitor-HKLM-SYSTEM-CurrentControlSet-Enum-USBSTOR-but/m-p/98757#M182633 bosburn_splunk 2013-01-24T17:04:57Z