props.conf

dolejh76 · ‎08-21-2015

Looking at my indexes, and I see that index Windows (which was created by Splunk_TA_windows)

I have about 90% of these events with

event_status="(0)The operation completed successfully."
pid=944
process_image="c:\Windows\System32\svchost.exe"
registry_type="CreateKey"
key_path="HKLM\software\classes"
data_type="REG_NONE"
data=""

This is a pretty useless event I think. What would be the best way to exclude this from being picked up by Splunk? I don't typically try to exclude things, but in the last 30 day sample - this event accounts for 92% of the events in that index. It would be nice to cut that chunk of useless data out.

Unless I am wrong, should I leave this one for some unknown reason?

I would want to change this on the deployment server:
/opt/splunk/etc/deployment-apps/Splunk_TA_windows/default/props.conf
so that it can get pushed out to all the hosts I would assume?

I think this is the section that is pulling those events. Not sure, but only reference (via sos) that shows WinRegistry as source

[source::....winregistry]
sourcetype = WinRegistry
LINE_BREAKER = ([\r\n]+)\d{2}\/\d{2}\/\d{2,4}\s+\d{2}:\d{2}:\d{2}\.\d+

## WinRegistry endpoint changes
## Required fields: action,dest,object,object_category,object_path,status,user
## Optional fields: object_id,object_attrs,user_type,msg,data,severity
[WinRegistry]
REPORT-object_object_path_for_WinRegistry = object_object_path_for_WinRegistry
REPORT-vendor_status_msg_for_WinRegistry = vendor_status_msg_for_WinRegistry
REPORT-user_for_WinRegistry = user_for_WinRegistry
# data is already set via KV field extraction

Thanks
John

majerus · ‎01-30-2019

We had quite a frustrating time figuring this out, so here is your answer. More then likely the events your seeing are due to windows registry monitor process running on your windows servers. (verify by looking at task manager for a process named splunk-regmon.exe)

Once you see that process your half way home..

Modify your inputs.conf file and the stanza that looks like

[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
index = windows

To...

[WinRegMon://default]
disabled = 0
hive = .*
proc = ^((?!(reg.exe|svchost.exe)).)*$
type = rename|set|delete|create
index = windows

Reload, run your deployment or the things you typically do..

Then sit back and tell your boss you just saved them many hundreds or thousands of dollars..

Happy Splunking!!

dolejh76 · ‎04-04-2016

Circling back around to this as it is consuming a lot of space. Does anyone have any advice for this?

Thanks
John

lelandtheg · ‎07-13-2016

Did you figure this out? Same issue here

jensonthottian · ‎08-21-2015

props.conf

[your- sourcetype]
SED-remove_data = s/

regex for "CreateKey" maybe.

[default]
TRANSFORMS-remove_events = CreateKey

dolejh76 · ‎08-28-2015

Can you expand on this a little please - I usually try to interpret what answers are and then am wrong and mess it up...

saying that on the props I listed above /opt/splunk/etc/deployment-apps/Splunk_TA_windows/default/props.conf

I googled SED-remove_data and it says this is to remove "part" of an event? I would like to not get this event at all - just seems like a waste of space to keep this one.

Thanks
John

How do I filter out events with "c:\Windows\System32\svchost.exe" pulled in by the Splunk Add-on for Microsoft Windows?

props.conf

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!