Getting Data In

Monitor Registry and Forward Data

Path Finder

Past two day I have been working on modifying a Splunk forwarder configuration to monitor a certain registries. After playing around with the sysmon.conf,regmon-filters.conf, and inputs.conf files, I have finally created something that works to a certain degree.

When I make changes to a Registry key value located in the hive targeted by the regmon-filters.conf file, Splunk forwards that change to the reciever server. My problem is that I want Splunk to index the registries in the specified hive without the registries having to be modified. I need Splunk to index a certain registry each interval even if the registy value has not changed.

Currently my regmon-filters.conf looks something like this:

[Test Registries Monitor]

proc = .*

hive = \\REGISTRY\\USER\\\.DEFAULT\\Console\\.*

type = set|create|delete|rename|query

baseline = 0

I believe I have use all the available 'type's and all of them require some kind of modification of the registry. I haven't seen anything in the documentation but can I remove type and just have this registry monitored every interval no matter what?

Also when I set the baseline to true, Splunk indexes all registries in the \REGISTRY\USER\.* hive and not the targeted location. But when I modify a registry, it only indexes keys that are in the entire target location. Why is that?

I really hope someone could help me out with this. This entire process has been really frustrating. Thanks.

0 Karma
1 Solution

Motivator

As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • View solution in original post

    0 Karma

    Motivator

    As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

    Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • View solution in original post

    0 Karma

    Path Finder

    Thanks for your advice. I am able to monitor the registries that I need using a .vbs script. My only problem is that I had to call that script via batch file because the Splunk does not know to use cscript to run the file when I use the .path file. Thanks anyways.

    0 Karma
    State of Splunk Careers

    Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

    Find out what your skills are worth!