Here is a method to monitor registry changes on WIndows 10 Pro on a host that is remote to Splunk.
In this particular case I am interested to get an event when a memory stick is inserter to the host.
1) Install Universal Forwarder on the remote host and configure it to forward events to Splunk
2) Download Splunk Add-on for Microsoft Windows:
3) Unzip and untar its directory. Move Ad-On directory to the Universal Forwarder on the remote host. In my case to the directory:
4) From: C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\default
copy app.conf and inputs.conf
to C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local
5) Clear content of \local copies on app.conf and inputs.conf
6) Add in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf
disabled = 0
hive = \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\.*
proc = .*
type = set|create|delete|rename
Restart the Universal Forwarder. Insert a USB to your Windows 10. You should get an event on your Splunk.
I hope this helps.
... View more
Look at your Splunk customer profile.
You can access it from within your error message screen or at:
The reason you are getting the error is most likely that you have already one Sandbox instance running.
Hope this helps.
... View more