Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Registry monitoring works for local host not on universal forwarder

VasukiPramod
Explorer
‎08-13-2020 07:41 PM

Hi Team,
The following inputs.conf works on localhost to monitor a registry key, but not working on the universal forwarder.

[WinRegMon://HKLM]
baseline=1
disabled=0
hive=\\REGISTRY\\MACHINE\\SYSTEM\\*ControlSet*\\Services\\LanManServer\\Shares\\?.*
index=windows
proc=.*
type=set|create|delete|rename

BTW even the following hive attribute too works fine on local host but not on universal forwarder

hive=HKEY_LOCAL_MACHINE\\SYSTEM\\*ControlSet*\\Services\\LanManServer\\Shares\\?.*

But the default configuraiton of inputs.conf works on both local host and the universal forwarder.

[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

 

Any references are much helpful.

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...