Windows process monitoring
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Windows process monitoring
Starting with version 3.4.2 of Splunk, you can enable native Windows process monitoring within Splunk. Because this can generate a high volume of events, this is not enabled by default. If you enable this feature, you can reduce the volume of events by creating regular expressions to filter out data you do not want sent to Splunk using the information in this topic.
It works the same way as configuring registry monitoring:
-
sysmon.confcontains global settings for which event types to monitor, which regular expression filters from theprocmon-filters.conffile to use, and whether or not Windows process events are monitored at all. -
procmon-filters.confcontains the specific regular expressions you create to refine and filter the process events you want Splunk to monitor.
sysmon.conf contains a stanza called [ProcessMonitor], where you specify:
-
event_types: the superset of process event types you want to monitor. Can becreate, exit, image. -
active_filters: the list of regular expression filters you've defined inprocmon-filters.confthat specify exactly which processes you want Splunk to monitor. This is a comma-separated list of the stanza names fromprocmon-filters.conf. You can use wildcards, which can be useful in case you want to name and invoke groups of related or similar filters based on a naming convention. If a given filter is not named in this list, it will not be used, even if it is present inregmon-filters.conf. This means you can turn on and off monitoring for various filters or groups of filters as desired. -
disable: whether to monitor process events or not. Set this to 0 to disable Windows process monitoring altogether. -
inclusive: whether the filters of this monitor are inclusive or exclusive filters. Values can be 0 or 1, default value is 1 (inclusive). -
filter_file_name= specifies the name of the file containing the filters for this monitor, which should beprocmon-filters.confby default.
Each stanza in procmon-filters.conf represents a particular filter whose definition includes:
-
proc: a regular expression containing the path to the process or processes you want to monitor -
hive: not used in this context, specific only to the registry monitor, should always be set to ".*" (dot star). -
type: the subset of event types to monitor. The values here must be a subset of the values forevent_typesthat you set insysmon.conf.
Note: You must restart Splunk if you change these configuration files.
The following are the default settings if you enable process monitoring:
The stanza in sysmon.conf:
[ProcessMonitor] filter_file_name = procmon-filters event_types = create.*|exit.*|image.* active_filters = "not-splunk-optimize" inclusive = 0 disabled = 1
The corresponding individual filter stanzas in procmon.conf:
[default] hive = .* [not-splunk-optimize] proc = splunk-optimize.exe type = create|exit|image
This documentation applies to the following versions of Splunk: 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.