Archive

Splunk registry monitor (splunk-regmon) generating too much data continuously

New Member

In our environment (Windows 2012) we see that WinRegistry sourcetype is generating 4k events per 5 mins. In order to reduce the data, we thought to reduce the frequency of splunk-regmon.exe and did following changes:

We configured interval for splunk-regmon.exe to be 3600 in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf. Even though splunkd.log shows that splunk-regmon is scheduled to run every hour the process actually runs continuously and generates lots of registry data. We monitored the process from task-manager and it looks like splunk-regmon process never ends once its started.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf:
[WinRegMon]
interval = 3600

Please help on fixing this issue. Let me know if any more details required.

0 Karma

Splunk Employee
Splunk Employee

In the cases of most modular inputs, interval is not what you think it is. Interval is how often to restart the mod input if it exits, either on purpose or on error/crash.

For the registry monitor -- it runs continuously. There is a driver component and a usermode component. The driver monitors the registry for the key(s)/subkeys requested in the stanza (and by operation). The usermode component pulls that information from the driver.

If you are getting too much data, maybe you are requesting too broad a collection to monitor. The registry is heavily used by everything in a windows OS.

0 Karma

SplunkTrust
SplunkTrust

did you restart the forwarder after submitting the change to inputs.conf?

0 Karma

New Member

yes, restarted couple of times. BTW what is expected behaviour after making the change I mentioned? Should splunk-regmon be running continuously or should exit and run again after an hour?

0 Karma

SplunkTrust
SplunkTrust

are you using the windows TA for pre-configured windows registry monitoring?

0 Karma

New Member

yes, we are using Windows TA app

0 Karma

SplunkTrust
SplunkTrust

these are the pre-built registry monitoring configurations within the app (default)

[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index = windows
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

I dont see interval there. in the inputs
here is a suggestion from docs on how to filter events to reduce amount of data:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorWindowsregistrydata

hope it helps

0 Karma

Splunk Employee
Splunk Employee

If you have a monitor that you do not want to run. You need to add "-1" to the interval

[WinRegMon]
interval = -1

Within windows TA there are several scripts and monitors. You can add interval = -1 to them and it will run once and then it will stop. Then it will run once every time you restart splunk.

0 Karma