Windows registry input

Windows registry input

Splunk supports the capture of Windows registry settings and lets you monitor changes to the registry. You can know when registry entries are added, updated, and deleted. When a registry entry is changed, Splunk captures the name of the process that made the change and the key path from the hive to the entry being changed.

The Windows registry input monitor application runs as a process called splunk-regmon.exe.

Note: This feature is not currently supported on Windows 2000 due to an issue with a Windows 2000 dll (PSAPI.DLL).

Warning: Do not stop or kill the splunk-regmon.exe process manually; this could result in system instability. To stop the process, stop the Splunk server process from the Windows Task Manager or from within Splunk Web.

How it works

Windows registries can be extremely dynamic (thereby generating a great many events). Splunk provides a two-tiered configuration for fine-tuning the filters that are applied to the registry event data coming into Splunk.

Splunk Windows registry monitoring uses two configuration files to determine what to monitor on your system, sysmon.conf and regmon-filters.conf, both located in $SPLUNK_HOME\etc\system\local\. These configuration files work as a hierarchy:

• sysmon.conf contains global settings for which event types (adds, deletes, renames, and so on) to monitor, which regular expression filters from the regmon-filters.conf file to use, and whether or not Windows registry events are monitored at all.
• regmon-filters.conf contains the specific regular expressions you create to refine and filter the hive key paths you want Splunk to monitor.

sysmon.conf contains only one stanza, where you specify:

• event_types: the superset of registry event types you want to monitor. Can be delete, set, create, rename, open, close, query.
• active_filters: the list of regular expression filters you've defined in regmon-filters.conf that specify exactly which processes and hive paths you want Splunk to monitor. This is a comma-separated list of the stanza names from regmon-filters.conf. You can use wildcards, which can be useful in case you want to name and invoke groups of related or similar filters based on a naming convention. If a given filter is not named in this list, it will not be used, even if it is present in regmon-filters.conf. This means you can turn on and off monitoring for various filters or groups of filters as desired.
• disabled: whether to monitor registry settings changes or not. Set this to 0 to disable Windows registry monitoring altogether.

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

• proc: a regular expression containing the path to the process or processes you want to monitor
• hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\ maps to HKEY_CURRENT_USER or HKCU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or {{HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
• type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
• baseline: whether or not to capture a baseline snapshot for that particular hive path. 0 for no and 1 for yes.
• baseline interval: how long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 24 hours.

Get a baseline snapshot

When you install Splunk, you're given the option of recording a baseline snapshot of your registry hives the next time Splunk starts. By default, the snapshot covers the entirety of the user keys and machine keys hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in regmon-filters.conf by setting the value of baseline interval.

Note: Executing a splunk clean all -f deletes the current baseline snapshot.

What to consider

When you install Splunk on a Windows machine and enable registry monitoring, you specify which major hive paths to monitor: key users (HKEY) and/or key local machine (HKLM). Depending on how dynamic you expect the registry to be on this machine, checking both could result in a great deal of data for Splunk to monitor. If you're expecting a lot of registry events, you may want to specify some filters in regmon-filters.conf to narrow the scope of your monitoring immediately after you install Splunk and enable registry event monitoring but before you start Splunk up.

Similarly, you have the option of capturing a baseline snapshot of the current state of your Windows registry when you first start Splunk, and again every time a specified amount of time has passed. The baselining process can be somewhat processor-intensive, and may take several minutes. You can postpone taking a baseline snapshot until you've edited regmon-filters.conf and narrowed the scope of the registry entries to those you specifically want Splunk to monitor.

Configure Windows registry input

Look at inputs.conf to see the default values for Windows registry input. They are also shown below. If you want to make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME\etc\system\local\. You only have to provide values for the parameters you want to change within the stanza. For more information about how to work with Splunk configuration files, refer to How do configuration files work?

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0

• source: labels these events as coming from the registry.
• sourcetype: assigns these events as registry events.
• interval: specifies how frequently to poll the registry for changes, in seconds.
• disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.

• Was this topic useful?
• Post a comment