Getting Data In

Monitor Registry and Forward Data

gallantalex
Path Finder

Past two day I have been working on modifying a Splunk forwarder configuration to monitor a certain registries. After playing around with the sysmon.conf,regmon-filters.conf, and inputs.conf files, I have finally created something that works to a certain degree.

When I make changes to a Registry key value located in the hive targeted by the regmon-filters.conf file, Splunk forwards that change to the reciever server. My problem is that I want Splunk to index the registries in the specified hive without the registries having to be modified. I need Splunk to index a certain registry each interval even if the registy value has not changed.

Currently my regmon-filters.conf looks something like this:

[Test Registries Monitor]

proc = .*

hive = \\REGISTRY\\USER\\\.DEFAULT\\Console\\.*

type = set|create|delete|rename|query

baseline = 0

I believe I have use all the available 'type's and all of them require some kind of modification of the registry. I haven't seen anything in the documentation but can I remove type and just have this registry monitored every interval no matter what?

Also when I set the baseline to true, Splunk indexes all registries in the \REGISTRY\USER\.* hive and not the targeted location. But when I modify a registry, it only indexes keys that are in the entire target location. Why is that?

I really hope someone could help me out with this. This entire process has been really frustrating. Thanks.

0 Karma
1 Solution

southeringtonp
Motivator

As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • View solution in original post

    0 Karma

    southeringtonp
    Motivator

    As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

    Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • View solution in original post

    0 Karma

    gallantalex
    Path Finder

    Thanks for your advice. I am able to monitor the registries that I need using a .vbs script. My only problem is that I had to call that script via batch file because the Splunk does not know to use cscript to run the file when I use the .path file. Thanks anyways.

    0 Karma
    Register for .conf21 Now! Go Vegas or Go Virtual!

    How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.