Monitor registry - how to configure system hive?

Splunk Employee
Splunk Employee

For example, how to monitor USB device changes?

Tags (2)
0 Karma

Splunk Employee
Splunk Employee
  1. In Splunk UI, go to: Manager > Data inputs > Registry monitoring and add a new registry data.

  2. Open browse and navigate to the hive path:


    Please note: don't leave the hive as CurrentControlSet, which may not work properly. Make sure take the next step to edit the path.

  3. Edit this registry hive path to:


  4. For process path, enter: .*

  5. Check Monitor subnodes.

  6. Set baseline=true.

So the final stanza should look like:


baseline = 1

disabled = 0


index = default

proc = C:\.*

type = set|rename|create|delete

0 Karma