regmon-filters.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
regmon-filters.conf
regmon-filters.conf.spec
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[<stanza name>]
* Name of the filter to be applied to certain monitor.
proc = <string>
* Regex describing a certain process image that you want to filter on.
hive = <string>
* Regex describing a certain registry key path that you want to filter on.
type = <string>
* Regex describing a certain type of registry event that you want to filter on.
baseline = <int 0|1>
* Establishing a baseline or not for the keys were about to monitor based on this filter.
regmon-filters.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This file contains example registry monitor filters. To create your own filter, use # the information in regmon-filters.conf.spec. # # To use one or more of these configurations, copy the configuration block into # regmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork. [default] baseline = 1 baseline_interval = 86400 [reg-filter-1] proc = \\Device\\HarddiskVolume2\\Windows\\.* hive = \\REGISTRY\\USER\\.* type = set|create|delete|rename
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.