Documentation > Splunk > Admin Manual > sysmon.conf

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

sysmon.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

sysmon.conf

sysmon.conf.spec 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for configuring registry monitoring
# on a Windows system, including global settings for which event types (adds, deletes, renames, 
# and so on) to monitor, which regular expression filters from the regmon-filters.conf file to use, 
# and whether or not Windows registry events are monitored at all.
# This file is used in conjunction with regmon-filters.conf.
# You must restart Splunk to enable configurations. 
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[<stanza name>]
        * Defaults to [RegistryMonitor]
        * Follow this stanza name with the following attribute/value pairs
event_types = <string>
        * Regex string specifying the type of events to monitor. Can be delete, set, create, rename, open, close, query.
active_filters = <string>
        * Double quoted strings of filter names (defined in regmon-filters.conf) to use.
disabled = <1 or 0>
        * 1 to disable, 0 to enable.

sysmon.conf.example 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example configuration for monitoring changes
# to the Windows registry. Refer to sysmon.conf.spec for details.
# The following is an example of a registry monitor filter.  To create your own filters, modify 
# the values using the information in regmon-filters.conf.spec.
#
# To use one or more of these configurations, copy the configuration block into
# sysmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[RegistryMonitor]
event_types = set.*|create.*|delete.*|rename.*
active_filters = "reg-filter-1"
disabled = 0
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.3/Admin/Sysmonconf"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!