Documentation > Splunk > Admin Manual > sysmon.conf

Admin Manual

 


Welcome
What to do first
Start Splunk
Meet Splunk Web and Splunk Apps
Before you configure
Add data and configure inputs
Indexing and event processing
Timestamps
Add and manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Set up forwarding and receiving
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

sysmon.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

sysmon.conf

The following are the spec and example files for sysmon.conf.

sysmon.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains possible attribute/value pairs for configuring registry monitoring
# on a Windows system, including global settings for which event types (adds, deletes, renames, 
# and so on) to monitor, which regular expression filters from the regmon-filters.conf file to use, 
# and whether or not Windows registry events are monitored at all.
# This file is used in conjunction with regmon-filters.conf.
# You must restart Splunk to enable configurations. 
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[<stanza name>]
	* Defaults to [RegistryMonitor]
	* Follow this stanza name with the following attribute/value pairs

filter_file_name = <string>
	* String representing the name of the file where filters for this monitor are stored

event_types = <string>
	* Regex string specifying the type of events to monitor. Can be delete, set, create, rename, open, close, query.

inclusive = <1 or 0>
	* 1 to specify that filter rules specified in active_filters field are inclusive(white list),
	0 the filter rules are exclusive(black list)

disabled = <1 or 0>
	* 1 to disable, 0 to enable.

sysmon.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.0 
#
# This file contains an example configuration for monitoring changes
# to the Windows registry. Refer to sysmon.conf.spec for details.
# The following is an example of a registry monitor filter and process monitor filter.
# To create your own filters, modify the values using the information in 
# regmon-filters.conf.spec.
#
# To use one or more of these configurations, copy the configuration block into
# sysmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

[RegistryMonitor]
filter_file_name = regmon-filters
event_types = set.*|create.*|delete.*|rename.*
disabled = 0

[ProcessMonitor]
filter_file_name = procmon-filters
event_types = create.*|exit.*|image.*
inclusive = 0
disabled = 1
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.5/Admin/Sysmonconf"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!