Splunk Search

How can i use splunk to query windows registry

manjunath6681
New Member

I have a .NET web site that is deployed on windows server(2003,2008,2012). My Application contains 6 MSIs which will create registry entry with the version number of the MSI installed on the server.

Can i use splunk to read registry keys and display the MSI versions installed on all my servers ?

Note: I dont want splunk to create an error or event when the registry key is created,updated or deleted. I only want it to show what is the current MSI version installed on the server by reading the registry key.

Tags (1)
0 Karma

thielethomas
Explorer

Hi@all,

registry monitor is not the way to get this done. Try using scheduled Batch skript:
reg query and pipe it to a Textfile , then monitor this file

adonio
Ultra Champion

hello there,
check this in docs: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata
it covers that topic in detail
hope it helps

0 Karma

manjunath6681
New Member

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma

alemarzu
Motivator

Hi there, I don't believe you can query Windows Registry as DBX does to a DB, but theres a modular input for that type of data and runs as a process called splunk-regmon.exe.

Create an input and then search or report on it.

Check this out: https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorWindowsregistrydata

Hope it helps.

0 Karma

manjunath6681
New Member

I configured this. but the problem is, This will only generate events when there is an SET,UPDATE,DELETE... happens to the registry.
I have 6 MSIs.. only 2 are frequently updated and the remaining 4 are rarely updated. I am getting the MSI versions of the 2 which updates frequently but the remaining 4 that are not recently updated are unavailable on splunk.

I do not want splunk to monitor any events that occur on the registry path, instead i just want splunk to read all the keys in the given path and display it to me.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...