Splunk Search

How can i use splunk to query windows registry

manjunath6681
New Member

I have a .NET web site that is deployed on windows server(2003,2008,2012). My Application contains 6 MSIs which will create registry entry with the version number of the MSI installed on the server.

Can i use splunk to read registry keys and display the MSI versions installed on all my servers ?

Note: I dont want splunk to create an error or event when the registry key is created,updated or deleted. I only want it to show what is the current MSI version installed on the server by reading the registry key.

Tags (1)
0 Karma

thielethomas
Explorer

Hi@all,

registry monitor is not the way to get this done. Try using scheduled Batch skript:
reg query and pipe it to a Textfile , then monitor this file

adonio
Ultra Champion

hello there,
check this in docs: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
it covers that topic in detail
hope it helps

0 Karma

manjunath6681
New Member

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma

alemarzu
Motivator

Hi there, I don't believe you can query Windows Registry as DBX does to a DB, but theres a modular input for that type of data and runs as a process called splunk-regmon.exe.

Create an input and then search or report on it.

Check this out: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata

Hope it helps.

0 Karma

manjunath6681
New Member

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...