- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitor Registry and Forward Data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Past two day I have been working on modifying a Splunk forwarder configuration to monitor a certain registries. After playing around with the sysmon.conf,regmon-filters.conf, and inputs.conf files, I have finally created something that works to a certain degree.
When I make changes to a Registry key value located in the hive targeted by the regmon-filters.conf file, Splunk forwards that change to the reciever server. My problem is that I want Splunk to index the registries in the specified hive without the registries having to be modified. I need Splunk to index a certain registry each interval even if the registy value has not changed.
Currently my regmon-filters.conf looks something like this:
[Test Registries Monitor]
proc = .*
hive = \\REGISTRY\\USER\\\.DEFAULT\\Console\\.*
type = set|create|delete|rename|query
baseline = 0
I believe I have use all the available 'type's and all of them require some kind of modification of the registry. I haven't seen anything in the documentation but can I remove type and just have this registry monitored every interval no matter what?
Also when I set the baseline to true, Splunk indexes all registries in the \REGISTRY\USER\.* hive and not the targeted location. But when I modify a registry, it only indexes keys that are in the entire target location. Why is that?
I really hope someone could help me out with this. This entire process has been really frustrating. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.
Consider one of the following:
.reg file on a schedule, and have Splunk index that file.- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.
Consider one of the following:
.reg file on a schedule, and have Splunk index that file.- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your advice. I am able to monitor the registries that I need using a .vbs script. My only problem is that I had to call that script via batch file because the Splunk does not know to use cscript to run the file when I use the .path file. Thanks anyways.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
