Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I create a black list filter for events coming from Splunk's Windows Registry monitor?

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-30-2010 11:51 PM

By default Windows Registry Monitor shipped with Splunk is turned off. If you do turn it on, the default filters shipped with Splunk in %splunk_home%\apps\search\default\regmon-filters.conf are "White List" type filters, capturing pretty much all the events happening in the Windows Registry at any given time.

I like to be able to specify a filter that will Black List specific events based on process name that created the event or/and the Registry key path, and allow the rest of the events to come into Splunk.

How do I do that?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-31-2010 04:20 PM

Splunk registry monitor in search\default\sysmon.conf has a field:

inclusive = 1/0

It specifically controls the type of filter, black or white list, registry monitor will be applying against the registry events. By default this field is set to 1 which means all filters in regmon-filters.conf are a white list. Any event matching to those filters will make it through to the Splunk index.

To convert the filters to a black list type of filters you'll need to take these steps:

  • Edit apps\search\local\sysmon.conf configuration file to have:

[RegistryMonitor]
inclusive = 0

This flag will tell Splunk Registry Monitor to exclude any events that match any filter specified in regmon-filters.conf

  • Edit apps\search\local\regmon-filters.conf configuration file to have the filters behave like a black list type of filter. Basically the filters you specify here will block any matching events that comes through. For example let's block any registry events generated by Splunk processes and svchost in the machine where Splunk Registry Monitor is running in:

[default]
type = (?=)

[SplunkDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Program Files\Splunk\.*
hive = (?=)

[SvcHostDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Windows\System32\svchost.*
hive = (?=)

The "type" field is set to match any registry event type (create, set, delete, rename), the "proc" field is set to match the process image path that generated the registry event, the "hive" field is set to match any registry key path.

Cheers,
Ledio

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-31-2010 04:20 PM

Splunk registry monitor in search\default\sysmon.conf has a field:

inclusive = 1/0

It specifically controls the type of filter, black or white list, registry monitor will be applying against the registry events. By default this field is set to 1 which means all filters in regmon-filters.conf are a white list. Any event matching to those filters will make it through to the Splunk index.

To convert the filters to a black list type of filters you'll need to take these steps:

  • Edit apps\search\local\sysmon.conf configuration file to have:

[RegistryMonitor]
inclusive = 0

This flag will tell Splunk Registry Monitor to exclude any events that match any filter specified in regmon-filters.conf

  • Edit apps\search\local\regmon-filters.conf configuration file to have the filters behave like a black list type of filter. Basically the filters you specify here will block any matching events that comes through. For example let's block any registry events generated by Splunk processes and svchost in the machine where Splunk Registry Monitor is running in:

[default]
type = (?=)

[SplunkDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Program Files\Splunk\.*
hive = (?=)

[SvcHostDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Windows\System32\svchost.*
hive = (?=)

The "type" field is set to match any registry event type (create, set, delete, rename), the "proc" field is set to match the process image path that generated the registry event, the "hive" field is set to match any registry key path.

Cheers,
Ledio

Reply
Solved! Jump to solution

thall79
Communicator
‎01-31-2011 02:04 PM

Thats what I figured but it's not working like I want it to. More details are in this post of what I have tried. http://answers.splunk.com/questions/10687/regmon-filters-not-working I am able to get a baseline for my filters but it will not monitor changes. Travis

0 Karma
Reply
Solved! Jump to solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎01-27-2011 09:10 PM

Yes, inclusive=1, which means only accept events that match the filter specified.

0 Karma
Reply
Solved! Jump to solution

thall79
Communicator
‎01-25-2011 09:53 PM

Question, instead of black list filter can the white list filter be setup the same way? I am interested in monitoring certain hives and having no luck with white list in regmon-filters. Only thing I have not tried is to setup a black list for everything else I don't want in the registry.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...