Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What stanza would I need to only monitor the N...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What stanza would I need to only monitor the Notification Packages string within the Lsa hive?
Hey guys,
So I have another request that I can monitor hives without issue so directly below if I were to add anything into this hive it gets picked up. However, when it comes to monitoring a specific value of a String or Dword then i'm having trouble, see the 2nd example below.
[WinRegMon://Registry1]
proc = .*
hive = \\REGISTRY\\USER\\.*\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\\.*
type = create|delete|set|rename
baseline = 1
index = main
[WinRegMon://Registry11]
proc = .*
hive = \\REGISTRY\\MACHINE\\SYSTEM\\CURRENTCONTROLSET\\CONTROL\\LSA\\Notification Packages.*
type = create|delete|set|rename
baseline = 1
index = main
Also tried with -
\\NotificationPackages.*
\\Notification Packages\\.*
If I remove the "Notification Packages" then the stanza does kinda of work in that the baseline is taken of all items within the Lsa hive, but when adding the Notifications Packages item I get nothing at all. I have read that I can monitor via the key_path and also process_image however I dont want to narrow the changes down to specific processes and again adding a .* doesnt seem to bring back any values.
Can anyone advise of the stanza I would need to only monitor the Notification Packages string within the Lsa hive ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little more info on this, so I can use the key_path value which sort of works as it logs the changes I need however it also opens to floodgates for some reason to a bunch of other keys in various hives, not limited to HKLM
So I could write a query and create dashboards for what I actually need however, the license usage is being taken up by events I don't wish to be logging. I did some digging around the CurrentControlSet path and it seems to work like a VIP / loadbalancer in that it points to ControlSet001 or ControlSet002 and potentially even ControlSet003 as these are like backups to the CurrentControlSet.
So if anyone has any other ideas on this i'm happy to listen, my current setup is -
[WinRegMon://Registry11]
proc = .
key_path = "\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA\Notification Packages"
type = create|delete|set|rename
index = main
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't know exactly in this case, but try with underscore _: Notification_Packages. This is the standard behaviour of Windows in majority of spaces I have faced. Not guaranteed, just try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I've tried with an _ and it brings back some surprising results, so the key I wish to monitor is not monitored however what seems to be a replication of the key is monitored along with a whole host of other items. Its defiantly got me scratching my head
HKLM\System\ControlSet001\Control\Lsa\Notofication Packages is now being picked up ???
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
