Getting Data In

How to edit my WinRegMon configuration to filter out certain Windows registry events?

lelandtheg
Engager

Hello!

I need some help filtering Windows registry events in Splunk. Here is my inputs.conf file

[WinRegMon://default]
disabled = 0
hive = .*
proc = .(?!symantec|google)([a-z0-9*]+)$
type = rename|set|delete|create
index = windows

As you can see in proc, I am trying to remove all entries which have the word sDymantec and google, but I have had no success.

Could anyone provide a way they are doing this or a suggestion?

Thank you!

dstaulcu
Builder

needed to do the same today. this seems to work for me.

proc = ^((?!(reg.exe|powershell_ise.exe)).)*$

mikefg
Communicator

I've been working on an issue where I need to be able to filter out a registry entry as well, but this solution doesn't get me there.   I need to filter out the languagelist entry, just can't get the regex to work. Anyone else have success filtering reg entries?

I need to filter out this entry.

HKU\.default\software\classes\local settings\muicache\2c4\52c64b7e\languagelist
0 Karma
Get Updates on the Splunk Community!

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...