Getting Data In

Monitor Registry and Forward Data

gallantalex
Path Finder

Past two day I have been working on modifying a Splunk forwarder configuration to monitor a certain registries. After playing around with the sysmon.conf,regmon-filters.conf, and inputs.conf files, I have finally created something that works to a certain degree.

When I make changes to a Registry key value located in the hive targeted by the regmon-filters.conf file, Splunk forwards that change to the reciever server. My problem is that I want Splunk to index the registries in the specified hive without the registries having to be modified. I need Splunk to index a certain registry each interval even if the registy value has not changed.

Currently my regmon-filters.conf looks something like this:

[Test Registries Monitor]

proc = .*

hive = \\REGISTRY\\USER\\\.DEFAULT\\Console\\.*

type = set|create|delete|rename|query

baseline = 0

I believe I have use all the available 'type's and all of them require some kind of modification of the registry. I haven't seen anything in the documentation but can I remove type and just have this registry monitored every interval no matter what?

Also when I set the baseline to true, Splunk indexes all registries in the \REGISTRY\USER\.* hive and not the targeted location. But when I modify a registry, it only indexes keys that are in the entire target location. Why is that?

I really hope someone could help me out with this. This entire process has been really frustrating. Thanks.

0 Karma
1 Solution

southeringtonp
Motivator

As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • View solution in original post

    0 Karma

    southeringtonp
    Motivator

    As you have seen, baselining will re-scan the entire hive, and only runs once unless Splunk has been offline for some period of time (by default, 1 day). Regular regular registry monitoring only looks for changes.

    Consider one of the following:

  • Use WMI to query the key(s) you are interested in (WMI Examples).
  • Create a scripted input that queries the registry and outputs the results.
  • Create a scheduled task in Windows to dump the registry keys to a .reg file on a schedule, and have Splunk index that file.
  • Use a scheduled search in Splunk to populate a lookup table with the current registry state (not recommended).
  • 0 Karma

    gallantalex
    Path Finder

    Thanks for your advice. I am able to monitor the registries that I need using a .vbs script. My only problem is that I had to call that script via batch file because the Splunk does not know to use cscript to run the file when I use the .path file. Thanks anyways.

    0 Karma
    Get Updates on the Splunk Community!

    Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

    March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

    What’s New in Splunk App for PCI Compliance 5.3.1?

    The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

    Extending Observability Content to Splunk Cloud

    Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...