Monitor Windows Registry data

Monitor Windows Registry data

Splunk supports the capture of Windows registry settings and lets you monitor changes to the registry. You can know when registry entries are added, updated, and deleted. When a registry entry is changed, Splunk captures the name of the process that made the change and the key path from the hive to the entry being changed.

The Windows registry input monitor application runs as a process called splunk-regmon.exe.

Warning: Do not stop or kill the splunk-regmon.exe process manually; this could result in system instability. To stop the process, stop the Splunkd server process from the Services control panel.

What to consider

When you install Splunk on a Windows machine and enable registry monitoring, you specify which major hive paths to monitor: user (HKEY_USERS) and/or machine (HKEY_LOCAL_MACHINE).

Depending on how dynamic you expect the registry to be on this machine, checking both could result in a great deal of data for Splunk to monitor. If you're expecting a lot of registry events, you may want to specify some filters in regmon-filters.conf to narrow the scope of your monitoring immediately after you install Splunk and enable registry event monitoring, but before you start Splunk up.

Similarly, you have the option of capturing a baseline snapshot of the current state of your Windows registry when you first start Splunk, and again every time a specified amount of time has passed. The baselining process can be somewhat processor-intensive, and may take several minutes. You can postpone taking a baseline snapshot until you've edited regmon-filters.conf and narrowed the scope of the registry entries to those you specifically want Splunk to monitor.

Enable Registry monitoring in Splunk Web

Splunk on Windows comes with Registry monitoring configured but disabled by default. You can perform a one-time baseline index and then separately enable ongoing monitoring for machine and/or user keys. To do this:

1. In Splunk Web, click Manager in the upper right corner.

2. Click Data inputs > Registry Monitoring

3. Choose Machine keys or User keys and enable the baseline and ongoing monitoring as desired.

4. Click Save.

How it works: the details

Windows registries can be extremely dynamic (thereby generating a great many events). Splunk provides a two-tiered configuration for fine-tuning the filters that are applied to the registry event data coming into Splunk.

Splunk Windows registry monitoring uses two configuration files to determine what to monitor on your system, sysmon.conf and the filter rules file referenced by it. By default, the filter rules file is named regmon-filters.conf, but you can define its name within sysmon.conf by using the filter_file_name attribute. Both of these files need to reside in $SPLUNK_HOME\etc\system\local\.

The two configuration files work as a hierarchy:

• sysmon.conf contains global settings for which event types (adds, deletes, renames, and so on) to monitor, which regular expression filters from the filter rules file to use, and whether or not Windows registry events are monitored at all.
• The filter rules file (by default named regmon-filters.conf) contains the specific regular expressions you create to refine and filter the Registry hive key paths you want Splunk to monitor.

sysmon.conf contains only one stanza, where you specify:

• event_types: the superset of registry event types you want to monitor. Can be any of delete, set, create, rename, open, close, query.
• filter_file_name: the file that Splunk should access for filter rules for this monitor. For example, if the attribute is set to regmon-filters, then Splunk looks in regmon-filters.conf for filter rule information.
• inclusive: whether the filter rules listed in the file specified by filter_file_name are inclusive (meaning Splunk should only monitor what is listed there) or exclusive (meaning Splunk should monitor everything except what is listed there). Set this value to 1 to make the filter rules inclusive, and 0 to make them exclusive.
• disabled: whether to monitor registry settings changes or not. Set this to 1 to disable Windows registry monitoring altogether.

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

• proc: a regular expression containing the path to the process or processes you want to monitor
• hive: a regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
  • Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as the Splunk Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) will generate events that contain the logged-in user's security identifier (SID).
  • Alternatively, you can specify the user whose registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user.
• type: the subset of event types to monitor. Can be delete, set, create, rename, open, close, query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
• baseline: whether or not to capture a baseline snapshot for that particular hive path. Set to 0 for no, and 1 for yes.
• baseline interval: how long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds, or 24 hours.
• disabled: whether or not a filter is enabled. Set to 0 to enable the filter, and 1 to disable it.

Get a baseline snapshot

When you enable Registry monitoring, you're given the option of recording a baseline snapshot of your registry hives the next time Splunk starts. By default, the snapshot covers the entirety of the user keys and machine keys hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in regmon-filters.conf by setting the value of baseline_interval.

Note: The baseline_interval attribute is expressed in seconds.

Note: Executing a splunk clean all -f from the CLI deletes the current baseline snapshot.

Change the default Windows registry input values

Look at inputs.conf to see the default values for Windows registry input. They are also shown below.

To make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME\etc\system\local\. Provide new values for only the parameters you want to change within the [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] stanza. There's no need to edit the other values. For more information about how to work with Splunk configuration files, refer to "About configuration files".

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0

• source: labels these events as coming from the registry.
• sourcetype: assigns these events as registry events.
• interval: specifies how frequently to poll the registry for changes, in seconds.
• disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.

Note: The Splunk registry input monitoring script (splunk-regmon.path) is configured as a scripted input. Do not change this value.

Note: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. Regexes with backslashes in them are not currently supported when specifying paths to files.

• Was this topic useful?
• Post a comment