- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can i use splunk to query windows registry
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can i use splunk to query windows registry
I have a .NET web site that is deployed on windows server(2003,2008,2012). My Application contains 6 MSIs which will create registry entry with the version number of the MSI installed on the server.
Can i use splunk to read registry keys and display the MSI versions installed on all my servers ?
Note: I dont want splunk to create an error or event when the registry key is created,updated or deleted. I only want it to show what is the current MSI version installed on the server by reading the registry key.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi@all,
registry monitor is not the way to get this done. Try using scheduled Batch skript:
reg query and pipe it to a Textfile , then monitor this file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
check this in docs: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
it covers that topic in detail
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.
I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, I don't believe you can query Windows Registry as DBX does to a DB, but theres a modular input for that type of data and runs as a process called splunk-regmon.exe.
Create an input and then search or report on it.
Check this out: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
Hope it helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.
I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
