Hello!
I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file
[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows
As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.
Could anyone provide a way they are doing this or a suggestion?
Thank you!
needed to do the same today. this seems to work for me.
proc = ^((?!(reg.exe|powershell_ise.exe)).)*$
I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there. I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries?
I need to filter out this entry.
HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist