regmon-filters.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
regmon-filters.conf
The following are the spec and example files for regmon-filters.conf.
regmon-filters.conf.spec
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.2 # # This file contains potential attribute/value pairs to use when # configuring Windows Registry monitoring. The regmon-filters.conf file # is used in conjunction with sysmon.conf, and contains the specific # regular expressions you create to refine and filter the Registry key # paths you want Splunk to monitor. # # NOTE: If you specify a different file name in the "filter_file_name" # attribute in sysmon.conf, Splunk will open and read the contents of # that file to get filter rules information. # # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [<stanza name>] * The name of the filter being defined. proc = <regular expression> * If set, is matched against the process name which performed the Registry access. * Events generated by processes that do not match the regular expression are filtered out. * Events generated by processes that match the regular expression are passed through. * There is no default. hive = <regular expression> * If set, is matched against the registry key which was accessed. * Events generated by processes that do not match the regular expression are filtered out. * Events generated by processes that match the regular expression are passed through. * There is no default. type = <string> * A regular expression that specifies the type(s) of Registry event(s) that you want Splunk to monitor. * This must be a subset of those defined for the "event_types" attribute in sysmon.conf. * There is no default. baseline = [0|1] * Specifies whether or not to establish a baseline value for the Registry keys that this filter defines. * 1 to establish a baseline, 0 not to establish one. * Defaults to 0 (do not establish a baseline). baseline_interval = <integer> * The threshold, in seconds, for how long Splunk has to have been down before re-taking the snapshot. * Defaults to 86400 (1 day). disabled = [0|1] * Specifies whether the input is enabled or not. * 1 to disable the input, 0 to enable it. * Defaults to 0 (enabled). index = <string> * Specifies the index that this input should send the data to. * This attribute is optional. * If no value is present, defaults to the default index.
regmon-filters.conf.example
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.2 # # This file contains example filters for use by the Splunk Registry # monitor scripted input. # # To use one or more of these configurations, copy the configuration block into # regmon-filters.conf in $SPLUNK_HOME/etc/search/local/. You must restart Splunk # to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles # The following are examples of Registry monitor filters. To create your own # filter, modify the values by following the specification outlined in # regmon-filters.conf.spec. [default] disabled = 1 baseline = 0 baseline_interval = 86400 # Monitor all registry keys under the HKEY_CURRENT_USER Registry hive for # "set," "create," "delete," and "rename" events created by all processes. # Store the events in the "regmon" splunk index [User keys] proc = \\Device\\.* hive = \\REGISTRY\\USER\\.* type = set|create|delete|rename index = regmon
This documentation applies to the following versions of Splunk: 4.2.2 View the Article History for its revisions.