Hey,
I want to monitor the changes in my Windows Registry. I have did the needed procedures and steps however the index i use for my Windows Registry is always empty whenever i do the following command.
index="Registry"
The steps i did was firstly, to add registry data into Splunk
Home->Add data->Windows Registry->Collect Windows Registry data on this Splunk Server
Next, i clicked on new and filled in the following information:
Collection Name: Registry
Registry Hive: HKEY_LOCAL_MACHINE\?.*
Baseline: Yes
Index: Registry
This is what is in my inputs.conf
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0
interval = 60
sourcetype = WinRegistry
source = WinRegistry
May i ask if i missed out any steps? And why my Registry Index is empty?
Thanks a lot! (:
Hi Zyon,
Can you check that the splunk-regmon.exe process is running, if not then try restarting splunk? As per this snippet from the docs:
Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.
Did you check the permissions as per the docs:
Required permissions:
Monitor the Registry * Splunk must run on Windows
AND
* Splunk must run as either the local system user
OR
* Splunk must run as a domain user with read access to the Registry hives or keys that you want to monitor
Here is a method to monitor registry changes on WIndows 10 Pro on a host that is remote to Splunk.
In this particular case I am interested to get an event when a memory stick is inserter to the host.
1) Install Universal Forwarder on the remote host and configure it to forward events to Splunk
2) Download Splunk Add-on for Microsoft Windows:
https://splunkbase.splunk.com/app/742/#/details
3) Unzip and untar its directory. Move Ad-On directory to the Universal Forwarder on the remote host. In my case to the directory:
C:\Program Files\SplunkUniversalForwarder\etc\apps
4) From: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default
copy app.conf and inputs.conf
to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
5) Clear content of \local copies on app.conf and inputs.conf
6) Add in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf
[WinRegMon://hklm_USB]
disabled = 0
hive = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\.*
proc = .*
type = set|create|delete|rename
Restart the Universal Forwarder. Insert a USB to your Windows 10. You should get an event on your Splunk.
I hope this helps.
Hi Zyon,
Can you check that the splunk-regmon.exe process is running, if not then try restarting splunk? As per this snippet from the docs:
Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.
Did you check the permissions as per the docs:
Required permissions:
Monitor the Registry * Splunk must run on Windows
AND
* Splunk must run as either the local system user
OR
* Splunk must run as a domain user with read access to the Registry hives or keys that you want to monitor