Getting Data In

How to edit my WinRegMon configuration to filter out certain Windows registry events?

Engager

Hello!

I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file

[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows

As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.

Could anyone provide a way they are doing this or a suggestion?

Thank you!

Builder

needed to do the same today. this seems to work for me.

proc = ^((?!(reg.exe|powershell_ise.exe)).)*$
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!