Monitor Windows Registry data
Monitor Windows Registry data
The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows will not run. Splunk supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.
When a program makes a change to a configuration, it writes those changes to the Registry. An example of this is when a program remembers the last positions of open program windows. Later, when the program is run again, it will look into the Registry to read those configurations. You can learn when Registry entries are added, updated, and deleted by programs and processes on your system. When a Registry entry is changed, Splunk captures the name of the process that made the change, as well as the entire path to the entry being changed.
The Windows Registry input monitor runs as a process called
Why monitor the Registry?
The Registry is probably the most used, yet least understood component of Windows operation. It gets used constantly, with many different programs reading from and writing to it at all times. When something is not functioning as desired, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.
The Registry's health is also very important. Splunk not only tells you when changes to the Registry are made, but also whether or not those changes were successful. If programs and processes can't write to or read from the Registry, bad things can happen to your Windows system, including a complete failure. Splunk can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.
What's required to monitor the Registry?
The following table lists the explicit permissions needed to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.
|Monitor the Registry|| * Splunk must run on Windows|
* Splunk must run as either the local system user
* Splunk must run as a domain user with read access to the Registry hives or keys that you want to monitor
When you install Splunk on a Windows machine and enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as
HKEY_USERS in RegEdit) and/or the machine hive (represented as
HKEY_LOCAL_MACHINE). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.
Since the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths will likely result in a lot of data for Splunk to monitor. To achieve the best performance, it is recommended to filter the amount of Registry data that Splunk indexes by using
Similarly, you can capture a baseline - a snapshot of the current state of your Windows Registry - when you first start Splunk, and again every time a specified amount of time has passed. The snapshot allows you to compare what the Registry looks like at a certain point in time, and provides for easier tracking of the changes to the Registry over time.
The snapshot process can be somewhat CPU-intensive, and may take several minutes. You can postpone taking a baseline snapshot until you've edited
regmon-filters.conf and narrowed the scope of the Registry entries to those you specifically want Splunk to monitor.
More information on
regmon-filters.conf and how to use it to filter incoming Registry events is available in "Filter incoming Registry events" later on this page.
Enable Registry monitoring in Splunk Web
To configure Splunk to monitor the Windows Registry:
1. In Splunk Web, click Manager in the upper right corner.
2. Under "Data", click Data inputs.
3. Click Registry Monitoring.
4. Click New.
5. In the Collection Name field, enter a unique name for this collection.
6. In the Registry hive field, enter the path to the Registry key that you want Splunk to monitor.
7. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk to monitor.
The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.
HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and
HKEY_CURRENT_CONFIG hives are displayed as top-level objects. The
HKEY_CLASSES_ROOT hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access
HKEY_CLASSES_ROOT items, choose
8. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.
The key's qualified name appears in the Qualified name field at the bottom of the window.
9. Click Select to confirm the choice and close the window.
10. Select Monitor subnodes if you want Splunk to monitor the child nodes below the starting hive you specified in Steps 6 or 7.
Note: The Monitor subnodes node determines what is added to the
regmon-filters.conf file that gets created when you define a Registry monitor input in Splunk Web.
If you use the tree view to select a key or hive to monitor, and Monitor subnodes is checked, then Splunk adds a regular expression (or regex) to the stanza for the input you are defining. This regex (
\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.
If Monitor subnodes is not checked, then Splunk adds a regex to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)
If you do not use the tree view to specify the desired key to monitor, then Splunk will add the regex only if Monitor subnodes is checked and you have not entered your own regex in the Registry hive field, as noted in Step 6.
11. Under Event types, select the Registry event types that you want Splunk to monitor for the chosen Registry hive:
|Set||Splunk generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry.|
|Create||Splunk generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive.|
|Delete||Splunk generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive.|
|Rename||Splunk generates a Rename event when you rename a Registry key or subkey in RegEdit.|
|Open||Splunk generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry.|
|Close||Splunk generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window.|
|Query||Splunk generates a Query event when a program executes the GetValue method on a Registry subkey.|
12. Click the checkbox next to More settings for additional options, or click Save to save the changes to the input. If you want to save the input now without making any additional changes, proceed to Step 16.
13. Tell Splunk which processes Splunk should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of
C:\.* to have Splunk monitor all processes.
14. Tell Splunk whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.
Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.
15. Optionally, choose the index you want Splunk to send Registry monitoring events to by selecting the desired index under Index.
16. Click Save.
Splunk enables the input and returns you to the Registry monitoring page.
Note: To disable inputs after they have been enabled, select Disable under the Status column on the "Registry monitoring" page.
Caution: When the Registry monitor is running, do not stop or kill the
splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the
splunkd server process from either the Services control panel or the CLI.
View Registry change data
To view Registry change data that Splunk has indexed, go to the Search app and search for events with a source of
WinRegistry. An example event, which is generated by Group Policy when a user logs in to a domain, follows:
3:03:28.505 PM 06/19/2011 15:03:28.505 event_status="(0)The operation completed successfully." pid=340 process_image="c:\WINDOWS\system32\winlogon.exe" registry_type="SetValue" key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName" data_type="REG_SZ" data="\\ftw.ad.splunk.com"
Each registry monitoring event contains:
| || The result of the registry change attempt. This should always be "|
| ||The process ID of the process that attempted to make the Registry change.|
| ||The name of the process that attempted to make the Registry change.|
| || The type of Registry operation that the |
| || The Registry key path that the |
| || The type of Registry data that the |
| || The data that the |
You can use Splunk's search commands and reporting features to create reports based on the incoming data, or use its alerting features to send alerts if things go wrong.
Filter incoming Registry events
Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing - Splunk Registry monitoring can easily generate hundreds of megabytes of data per day.
Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, regmon-filters.conf. This file needs to reside in
regmon-filters.conf contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.
Each stanza in
regmon-filters.conf represents a particular filter whose definition includes:
| ||A regular expression containing the path to the process or processes you want to monitor|
| || A regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
| || The subset of event types to monitor. Can be one or more of |
| ||Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no.|
| ||How long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds (1 day).|
| ||Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it.|
Get a baseline snapshot
When you enable Registry monitoring, you're given the option of recording a baseline snapshot of the Registry hives the next time Splunk starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in
regmon-filters.conf by setting the value of
baseline_interval This attribute is expressed in seconds.
Change the default Windows Registry input values
Review inputs.conf to see the default values for Windows Registry input. They are also shown below. You would only need to make changes to the default values if, for example, you wanted to increase or decrease the interval between when the Registry monitor scans for new changes, or change the source and/or sourcetype of events generated by the monitor.
Note: The Splunk Registry input monitoring script (
splunk-regmon.path) is configured as a scripted input. Do not change this value.
To make changes to the default values, edit a copy of
$SPLUNK_HOME\etc\system\local\. Provide new values for only the parameters you want to change within the
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] stanza. There's no need to edit the other values. For more information about how to work with Splunk configuration files, refer to "About configuration files" in the Admin Manual.
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] interval = 60 sourcetype = WinRegistry source = WinRegistry disabled = 0
source: labels these events as coming from the Registry.
sourcetype: assigns these events as Registry events.
interval: specifies how frequently to poll the Registry for changes, in seconds.
disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.
Note: You must use two backslashes
\\ to escape wildcards in stanza names in
inputs.conf. Regexes with backslashes in them are not currently supported when specifying paths to files.