Splunk Dev

Splunk registry monitor (splunk-regmon) generating too much data continuously

caagrawal
New Member

In our environment (Windows 2012) we see that WinRegistry sourcetype is generating 4k events per 5 mins. In order to reduce the data, we thought to reduce the frequency of splunk-regmon.exe and did following changes:

We configured interval for splunk-regmon.exe to be 3600 in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf. Even though splunkd.log shows that splunk-regmon is scheduled to run every hour the process actually runs continuously and generates lots of registry data. We monitored the process from task-manager and it looks like splunk-regmon process never ends once its started.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf:
[WinRegMon]
interval = 3600

Please help on fixing this issue. Let me know if any more details required.

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

In the cases of most modular inputs, interval is not what you think it is. Interval is how often to restart the mod input if it exits, either on purpose or on error/crash.

For the registry monitor -- it runs continuously. There is a driver component and a usermode component. The driver monitors the registry for the key(s)/subkeys requested in the stanza (and by operation). The usermode component pulls that information from the driver.

If you are getting too much data, maybe you are requesting too broad a collection to monitor. The registry is heavily used by everything in a windows OS.

0 Karma

adonio
Ultra Champion

did you restart the forwarder after submitting the change to inputs.conf?

0 Karma

caagrawal
New Member

yes, restarted couple of times. BTW what is expected behaviour after making the change I mentioned? Should splunk-regmon be running continuously or should exit and run again after an hour?

0 Karma

adonio
Ultra Champion

are you using the windows TA for pre-configured windows registry monitoring?

0 Karma

caagrawal
New Member

yes, we are using Windows TA app

0 Karma

adonio
Ultra Champion

these are the pre-built registry monitoring configurations within the app (default)

[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index = windows
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

I dont see interval there. in the inputs
here is a suggestion from docs on how to filter events to reduce amount of data:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorWindowsregistrydata

hope it helps

0 Karma

haliakbar_splun
Splunk Employee
Splunk Employee

If you have a monitor that you do not want to run. You need to add "-1" to the interval

[WinRegMon]
interval = -1

Within windows TA there are several scripts and monitors. You can add interval = -1 to them and it will run once and then it will stop. Then it will run once every time you restart splunk.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...