Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a black list filter for events coming from Splunk's Windows Registry monitor?

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-30-2010 11:51 PM

By default Windows Registry Monitor shipped with Splunk is turned off. If you do turn it on, the default filters shipped with Splunk in %splunk_home%\apps\search\default\regmon-filters.conf are "White List" type filters, capturing pretty much all the events happening in the Windows Registry at any given time.

I like to be able to specify a filter that will Black List specific events based on process name that created the event or/and the Registry key path, and allow the rest of the events to come into Splunk.

How do I do that?

Reply
1 Solution
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-31-2010 04:20 PM

Splunk registry monitor in search\default\sysmon.conf has a field:

inclusive = 1/0

It specifically controls the type of filter, black or white list, registry monitor will be applying against the registry events. By default this field is set to 1 which means all filters in regmon-filters.conf are a white list. Any event matching to those filters will make it through to the Splunk index.

To convert the filters to a black list type of filters you'll need to take these steps:

  • Edit apps\search\local\sysmon.conf configuration file to have:

[RegistryMonitor]
inclusive = 0

This flag will tell Splunk Registry Monitor to exclude any events that match any filter specified in regmon-filters.conf

  • Edit apps\search\local\regmon-filters.conf configuration file to have the filters behave like a black list type of filter. Basically the filters you specify here will block any matching events that comes through. For example let's block any registry events generated by Splunk processes and svchost in the machine where Splunk Registry Monitor is running in:

[default]
type = (?=)

[SplunkDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Program Files\Splunk\.*
hive = (?=)

[SvcHostDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Windows\System32\svchost.*
hive = (?=)

The "type" field is set to match any registry event type (create, set, delete, rename), the "proc" field is set to match the process image path that generated the registry event, the "hive" field is set to match any registry key path.

Cheers,
Ledio

View solution in original post

Reply
Solved! Jump to solution
Solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎03-31-2010 04:20 PM

Splunk registry monitor in search\default\sysmon.conf has a field:

inclusive = 1/0

It specifically controls the type of filter, black or white list, registry monitor will be applying against the registry events. By default this field is set to 1 which means all filters in regmon-filters.conf are a white list. Any event matching to those filters will make it through to the Splunk index.

To convert the filters to a black list type of filters you'll need to take these steps:

  • Edit apps\search\local\sysmon.conf configuration file to have:

[RegistryMonitor]
inclusive = 0

This flag will tell Splunk Registry Monitor to exclude any events that match any filter specified in regmon-filters.conf

  • Edit apps\search\local\regmon-filters.conf configuration file to have the filters behave like a black list type of filter. Basically the filters you specify here will block any matching events that comes through. For example let's block any registry events generated by Splunk processes and svchost in the machine where Splunk Registry Monitor is running in:

[default]
type = (?=)

[SplunkDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Program Files\Splunk\.*
hive = (?=)

[SvcHostDisable]
disabled = 0
proc = \Device\HarddiskVolume2\Windows\System32\svchost.*
hive = (?=)

The "type" field is set to match any registry event type (create, set, delete, rename), the "proc" field is set to match the process image path that generated the registry event, the "hive" field is set to match any registry key path.

Cheers,
Ledio

Reply
Solved! Jump to solution

thall79
Communicator
‎01-31-2011 02:04 PM

Thats what I figured but it's not working like I want it to. More details are in this post of what I have tried. http://answers.splunk.com/questions/10687/regmon-filters-not-working I am able to get a baseline for my filters but it will not monitor changes. Travis

0 Karma
Reply
Solved! Jump to solution

Ledio_Ago
Splunk Employee
Splunk Employee
‎01-27-2011 09:10 PM

Yes, inclusive=1, which means only accept events that match the filter specified.

0 Karma
Reply
Solved! Jump to solution

thall79
Communicator
‎01-25-2011 09:53 PM

Question, instead of black list filter can the white list filter be setup the same way? I am interested in monitoring certain hives and having no luck with white list in regmon-filters. Only thing I have not tried is to setup a black list for everything else I don't want in the registry.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...