Past two day I have been working on modifying a Splunk forwarder configuration to monitor a certain registries. After playing around with the sysmon.conf,regmon-filters.conf, and inputs.conf files, I have finally created something that works to a certain degree.
When I make changes to a Registry key value located in the hive targeted by the regmon-filters.conf file, Splunk forwards that change to the reciever server. My problem is that I want Splunk to index the registries in the specified hive without the registries having to be modified. I need Splunk to index a certain registry each interval even if the registy value has not changed.
Currently my regmon-filters.conf looks something like this:
[Test Registries Monitor]
proc = .*
hive = \\REGISTRY\\USER\\\.DEFAULT\\Console\\.*
type = set|create|delete|rename|query
baseline = 0
I believe I have use all the available 'type's and all of them require some kind of modification of the registry. I haven't seen anything in the documentation but can I remove type and just have this registry monitored every interval no matter what?
Also when I set the baseline to true, Splunk indexes all registries in the \REGISTRY\USER\.* hive and not the targeted location. But when I modify a registry, it only indexes keys that are in the entire target location. Why is that?
I really hope someone could help me out with this. This entire process has been really frustrating.
Thanks.
... View more