Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can i use splunk to query windows registry

manjunath6681
New Member
‎04-20-2017 02:03 AM

I have a .NET web site that is deployed on windows server(2003,2008,2012). My Application contains 6 MSIs which will create registry entry with the version number of the MSI installed on the server.

Can i use splunk to read registry keys and display the MSI versions installed on all my servers ?

Note: I dont want splunk to create an error or event when the registry key is created,updated or deleted. I only want it to show what is the current MSI version installed on the server by reading the registry key.

Tags (1)
0 Karma
Reply

thielethomas
Explorer
‎07-13-2017 02:01 AM

Hi@all,

registry monitor is not the way to get this done. Try using scheduled Batch skript:
reg query and pipe it to a Textfile , then monitor this file

Reply

adonio
Ultra Champion
‎04-20-2017 07:03 AM

hello there,
check this in docs: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
it covers that topic in detail
hope it helps

0 Karma
Reply

manjunath6681
New Member
‎04-26-2017 01:47 AM

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma
Reply

alemarzu
Motivator
‎04-20-2017 07:03 AM

Hi there, I don't believe you can query Windows Registry as DBX does to a DB, but theres a modular input for that type of data and runs as a process called splunk-regmon.exe.

Create an input and then search or report on it.

Check this out: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata

Hope it helps.

0 Karma
Reply

manjunath6681
New Member
‎04-26-2017 01:47 AM

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top