Monitor Windows Registry data
The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows does not run. Splunk Enterprise supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.
When a program makes a change to a configuration, it writes those changes to the Registry. Later, when the program runs again, it looks into the Registry to read those configurations. You can learn when Windows programs and processes add, update, and delete Registry entries on your system. When a Registry entry changes, Splunk Enterprise captures the name of the process that made the change, as well as the entire path to the entry being changed.
The Windows Registry input monitor runs as a process called
If you have Splunk Cloud, you must use the universal forwarder to collect data from the Windows Registry and forward it to your Splunk Cloud deployment.
Why monitor the Registry?
The Registry is probably the most used, yet least understood component of Windows operation. Many programs and processes read from and write to it at all times. When something is not functioning, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.
Registry health is very important. Splunk Enterprise tells you when changes to the Registry are made and also if those changes were successful. If programs and processes can't write to or read from the Registry, a system failure can occur. Splunk Enterprise can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.
What do you need to monitor the Registry?
The following table lists the explicit permissions you need to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.
|Monitor the Registry|| * Splunk Enterprise must run on Windows|
* Splunk Enterprise must run as either the local system user
* Splunk Enterprise must run as a domain user with read access to the Registry hives or keys that you want to monitor
When you enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as
HKEY_USERS in RegEdit) and/or the machine hive (represented as
HKEY_LOCAL_MACHINE). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.
Because the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths results in a lot of data for Splunk Enterprise to monitor. To achieve the best performance, filter the amount of Registry data that Splunk Enterprise indexes by configuring
Similarly, you can capture a baseline snapshot of the current state of your Windows Registry when you first start Splunk Enterprise, and again every time a specified amount of time has passed. The snapshot lets you compare what the Registry looks like at a certain point in time and provides for easier tracking of the changes to the Registry over time.
The snapshot process can be somewhat CPU-intensive, and might take several minutes to complete. You can postpone taking a baseline snapshot until you have narrowed the scope of the Registry entries to those you specifically want Splunk Enterprise to monitor.
Enable Registry monitoring in Splunk Web
Go to the Add New page
You can get there by two routes:
- Splunk Home
- Splunk Settings
By Splunk Settings:
- Click Settings in the upper right corner of Splunk Web.
- Click Data Inputs.
- Click Registry monitoring.
- Click New to add an input.
By Splunk Home:
- Click the Add Data link in Splunk Home.
- Click Monitor to monitor Registry data on the local Windows machine.
Select the input source
- In the left pane, locate and select Registry monitoring.
- In the Collection Name field, enter a unique name for the input that you will remember.
- In the Registry hive field, enter the path to the Registry key that you want Splunk Enterprise to monitor.
- (Optional) If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk Enterprise to monitor.
The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys display as folders, and values display as document icons.
HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,and
HKEY_CURRENT_CONFIGhives display as top-level objects. The
HKEY_CLASSES_ROOThive is not shown because of the number of subkeys present in the first sublevel of that hive. To access
- In the Registry hive window, choose the desired Registry key by clicking on the name of the key. The qualified key name appears in the Qualified name field at the bottom of the window.
- Click Select to confirm the choice and close the window.
- (Optional) Select Monitor subnodes if you want to monitor the child nodes below the starting hive.
The Monitor subnodes node determines what Splunk Enterprise adds to the
inputs.conffile that it creates when you define a Registry monitor input in Splunk Web.
If you use the tree view to select a key or hive to monitor and check Monitor subnodes, then Splunk Enterprise adds a regular expression to the stanza for the input you are defining. This regular expression (
\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.
If you do not check Monitor subnodes, then Splunk Enterprise adds a regular expression to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)
If you do not use the tree view to specify the desired key to monitor, then Splunk Enterprise adds the regular expression only if you have checked Monitor subnodes and have not entered your own regular expression in the Registry hive field.
- Under Event types, select the Registry event types that you want Splunk Enterprise to monitor for the chosen Registry hive:
Event Type Description Set Splunk Enterprise generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry entry. Create Splunk Enterprise generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive. Delete Splunk Enterprise generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive. Rename Splunk Enterprise generates a Rename event when you rename a Registry key or subkey in RegEdit. Open Splunk Enterprise generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry. Close Splunk Enterprise generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window. Query Splunk Enterprise generates a Query event when a program executes the GetValue method on a Registry subkey.
- Specify which processes Splunk Enterprise should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of
C:\.*to monitor all processes.
- Specity whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.
The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Registry events within the snapshot retain their original indexing timestamps. Scanning the Registry to set a baseline index is a CPU-intensive process and might take some time.
- Click Next.
Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
- Select the appropriate Application context for this input.
- Set the Host name value. You have several choices for this setting. Learn more about setting the host value in About hosts.
Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
- Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
- Click Review.
Review your choices
After specifying all your input settings, review your selections. Splunk Enterprise lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.
- Review the settings.
- If they do not match what you want, click < to go back to the previous step in the wizard. Otherwise, click Submit.
Splunk Enterprise then loads the "Success" page and begins indexing the specified Registry nodes.
View Registry change data
To view Registry change data that Splunk Enterprise indexed, go to the Search app and search for events with a source of
WinRegistry. An example event, which Group Policy generates when a user logs in to a domain, follows:
3:03:28.505 PM 06/19/2011 15:03:28.505 event_status="(0)The operation completed successfully." pid=340 process_image="c:\WINDOWS\system32\winlogon.exe" registry_type="SetValue" key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName" data_type="REG_SZ" data="\\ftw.ad.splunk.com"
Each registry monitoring event contains the following attributes.
|| The result of the registry change attempt. This should always be "|
||The process ID of the process that attempted to make the Registry change.|
||The name of the process that attempted to make the Registry change.|
|| The type of Registry operation that the |
|| The Registry key path that the |
|| The type of Registry data that the |
|| The data that the |
Filter incoming Registry events
Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing. Splunk Registry monitoring can generate hundreds of megabytes of data per day.
Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, inputs.conf. This file needs to reside in
$SPLUNK_HOME\etc\system\local\ on the server that runs Registry monitoring.
inputs.conf contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.
Each stanza in
inputs.conf represents a particular filter whose definition includes:
||A regular expression containing the path to the process or processes you want to monitor.|
|| A regular expression that contains the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
|| The subset of event types to monitor. Can be one or more of |
||Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no.|
|| How much time, in seconds, must have elapsed since the last baseline was taken before Splunk Enterprise takes another baseline on startup. For example, if you set |
||Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it.|
Get a baseline snapshot
When you enable Registry monitoring, you can record a baseline snapshot of the Registry hives the next time Splunk Enterprise starts. By default, the snapshot covers the
HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot. By default, if the baseline is more than 24 hours old, when Splunk Enterprise next starts, it retakes the baseline snapshot. You can customize this value for each of the filters in
inputs.conf by setting the value of
baseline_interval, in seconds.
When you create a baseline snapshot, the snapshot uses the index time of the Registry data, not the snapshot creation time. For example, if a change to a Registry key occurred two years ago, the timestamp for that event will be two years ago, not when the baseline snapshot was created.
Monitor data through Windows Management Instrumentation (WMI)
Monitor Windows performance
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.2.1