Splunk Dev

Splunk registry monitor (splunk-regmon) generating too much data continuously

caagrawal
New Member

In our environment (Windows 2012) we see that WinRegistry sourcetype is generating 4k events per 5 mins. In order to reduce the data, we thought to reduce the frequency of splunk-regmon.exe and did following changes:

We configured interval for splunk-regmon.exe to be 3600 in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf. Even though splunkd.log shows that splunk-regmon is scheduled to run every hour the process actually runs continuously and generates lots of registry data. We monitored the process from task-manager and it looks like splunk-regmon process never ends once its started.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf:
[WinRegMon]
interval = 3600

Please help on fixing this issue. Let me know if any more details required.

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

In the cases of most modular inputs, interval is not what you think it is. Interval is how often to restart the mod input if it exits, either on purpose or on error/crash.

For the registry monitor -- it runs continuously. There is a driver component and a usermode component. The driver monitors the registry for the key(s)/subkeys requested in the stanza (and by operation). The usermode component pulls that information from the driver.

If you are getting too much data, maybe you are requesting too broad a collection to monitor. The registry is heavily used by everything in a windows OS.

0 Karma

adonio
Ultra Champion

did you restart the forwarder after submitting the change to inputs.conf?

0 Karma

caagrawal
New Member

yes, restarted couple of times. BTW what is expected behaviour after making the change I mentioned? Should splunk-regmon be running continuously or should exit and run again after an hour?

0 Karma

adonio
Ultra Champion

are you using the windows TA for pre-configured windows registry monitoring?

0 Karma

caagrawal
New Member

yes, we are using Windows TA app

0 Karma

adonio
Ultra Champion

these are the pre-built registry monitoring configurations within the app (default)

[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index = windows
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

I dont see interval there. in the inputs
here is a suggestion from docs on how to filter events to reduce amount of data:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorWindowsregistrydata

hope it helps

0 Karma

haliakbar_splun
Splunk Employee
Splunk Employee

If you have a monitor that you do not want to run. You need to add "-1" to the interval

[WinRegMon]
interval = -1

Within windows TA there are several scripts and monitors. You can add interval = -1 to them and it will run once and then it will stop. Then it will run once every time you restart splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...