Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Registry monitoring works for local host not on universal forwarder

VasukiPramod
Explorer
‎08-13-2020 07:41 PM

Hi Team,
The following inputs.conf works on localhost to monitor a registry key, but not working on the universal forwarder.

[WinRegMon://HKLM]
baseline=1
disabled=0
hive=\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\LanManServer\\Shares\\?.*
index=windows
proc=.*
type=set|create|delete|rename

BTW even the following hive attribute too works fine on local host but not on universal forwarder

hive=HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Services\\LanManServer\\Shares\\?.*

But the default configuraiton of inputs.conf works on both local host and the universal forwarder.

[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

 

Any references are much helpful.

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...