Solved: In Windows monitoring, how do you get WinRegMon to...

althomas · ‎10-08-2018

Hi all,

I'm having lots of issues trying to get WinRegMon to do a baseline. I've pushed this to my workstation and it is working when I make manual changes to the registry. However, as I've got baseline set to 1 and an interval of a day's worth of seconds, I would expect there to be daily entries into the main index for all keys existing in the below.

My config looks a bit like this:

[WinRegMon://outlookDisabled]
disabled = 0
proc = .*
type = rename|create|delete|set
index = main
baseline = 1
baseline_interval = 86400
hive = \\REGISTRY\\USER\\.*\\Software\\Microsoft\\Office\\.*\\Outlook\\Resiliency\\DisabledItems\\.*

Has anyone had any experience with baselines not pulling in data?

Thanks!
Alex

althomas · ‎10-08-2018

So turns out it was being lost in the sea of events. It's indexing the data at the time when the change was made, not at the time when it pulls back in the data, which makes sense.

View solution in original post

althomas · ‎10-08-2018

So turns out it was being lost in the sea of events. It's indexing the data at the time when the change was made, not at the time when it pulls back in the data, which makes sense.

In Windows monitoring, how do you get WinRegMon to produce a baseline?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

In Windows monitoring, how do you get WinRegMon to produce a baseline?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey