- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my WinRegMon configuration to filter out certain Windows registry events?
lelandtheg
Engager
07-20-2016
09:53 AM
Hello!
I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file
[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows
As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.
Could anyone provide a way they are doing this or a suggestion?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dstaulcu
Builder
02-02-2017
05:36 PM
needed to do the same today. this seems to work for me.
proc = ^((?!(reg.exe|powershell_ise.exe)).)*$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mikefg
Communicator
03-15-2024
09:17 AM
I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there. I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries?
I need to filter out this entry.
HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist
