Re: Splunk registry monitor (splunk-regmon) genera...

caagrawal · ‎03-23-2017

In our environment (Windows 2012) we see that WinRegistry sourcetype is generating 4k events per 5 mins. In order to reduce the data, we thought to reduce the frequency of splunk-regmon.exe and did following changes:

We configured interval for splunk-regmon.exe to be 3600 in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf. Even though splunkd.log shows that splunk-regmon is scheduled to run every hour the process actually runs continuously and generates lots of registry data. We monitored the process from task-manager and it looks like splunk-regmon process never ends once its started.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf:
[WinRegMon]
interval = 3600

Please help on fixing this issue. Let me know if any more details required.

wcolgate_splunk · ‎04-17-2018

In the cases of most modular inputs, interval is not what you think it is. Interval is how often to restart the mod input if it exits, either on purpose or on error/crash.

For the registry monitor -- it runs continuously. There is a driver component and a usermode component. The driver monitors the registry for the key(s)/subkeys requested in the stanza (and by operation). The usermode component pulls that information from the driver.

If you are getting too much data, maybe you are requesting too broad a collection to monitor. The registry is heavily used by everything in a windows OS.

adonio · ‎03-23-2017

did you restart the forwarder after submitting the change to inputs.conf?

caagrawal · ‎03-23-2017

yes, restarted couple of times. BTW what is expected behaviour after making the change I mentioned? Should splunk-regmon be running continuously or should exit and run again after an hour?

adonio · ‎03-25-2017

are you using the windows TA for pre-configured windows registry monitoring?

caagrawal · ‎03-29-2017

yes, we are using Windows TA app

adonio · ‎03-30-2017

these are the pre-built registry monitoring configurations within the app (default)

[WinRegMon://default]
disabled = 1
hive = .*
proc = .*
type = rename|set|delete|create
index = windows
[WinRegMon://hkcu_run]
disabled = 1
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

[WinRegMon://hklm_run]
disabled = 1
hive = \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.*
proc = .*
type = set|create|delete|rename
index = windows

I dont see interval there. in the inputs
here is a suggestion from docs on how to filter events to reduce amount of data:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Data/MonitorWindowsregistrydata

hope it helps

haliakbar_splun · ‎08-02-2017

If you have a monitor that you do not want to run. You need to add "-1" to the interval

[WinRegMon]
interval = -1

Within windows TA there are several scripts and monitors. You can add interval = -1 to them and it will run once and then it will stop. Then it will run once every time you restart splunk.

Splunk registry monitor (splunk-regmon) generating too much data continuously

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services