Hello,
I am trying to monitor the registry of remote forwarders. I have the following in my regmon.conf
[default]
disabled = 0
baseline = 0
#30 days
#baseline_interval = 2592000
# Monitor all registry keys under the HKEY_CURRENT_USER Registry hive for
# "set," "create," "delete," and "rename" events created by all processes.
# Store the events in the "regmon" splunk index
[USBSTOR]
proc = .*
hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
type = set|create|delete|rename
index = default
baseline = 0
disabled = 0
[USB]
proc = .*
hive = \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Enum\USB
type = set|create|delete|rename
index = default
baseline = 0
disabled = 0
I am trying to monitor when a USB device is plugged in. I am using deployment server to deploy this as an app, I see it show up in deployment-client, & I see the keys showing in the reg input on the forwarder... I then walk to the device, plug in a USB flash drive, watch the registry change, but no events ever show up!
Can anyone see anything I am doing wrong?
Thanks for your help.
Kevin
... View more