Documentation > Splunk > Admin Manual > sysmon.conf

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference

sysmon.conf

Contents

sysmon.conf

The following are the spec and example files for sysmon.conf.

sysmon.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.5 
#
# This file contains possible attribute/value pairs for configuring 
# Registry monitoring on a Windows system, including global settings 
# for which event types (adds, deletes, renames, and so on) to monitor,
# which regular expression filters from the filter rules file 
# (normally regmon-filters.conf) to use, and whether or not Windows
# Registry events are monitored at all.
#
# This file is used in conjunction with regmon-filters.conf, or a file
# that you reference in the "filter_file_name" attribute below.
# You must restart Splunk to enable configurations. 
#
# To learn more about configuration files (including precedence) please see the
# documentation located at 
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[<stanza name>]
* Defaults to [RegistryMonitor]
* Follow this stanza name with the following attribute/value pairs.

filter_file_name = <string>
* This attribute references the name of the file where filters for this monitor
  are stored.
* For example, setting this attribute to "hklm_filters" will cause
  splunk-regmon.exe to look in "hklm_filters.conf" for filter rules for
  this input.
* Splunk-regmon.exe will read the contents of regmon-filters.conf if this
  attribute is not present.

event_types = <string>
* A regular expression string that specifies the type(s) of Registry events to
  monitor.
* Regular expressions specified in this attribute can begin with one or more of
  the following strings: set, create, delete, rename, open, close, query.
* When specifying multiple event type strings for this attribute, the
  individual event type elements must be separated by the pipe character ("|").

inclusive = [0|1]
* Specifies whether the rules specified in the filter rules file are inclusive
  (a white list) or exclusive (a black list).
* This attribute is required, and splunk-regmon.exe will not run for this
  input if the attribute is not present.
* Set to 1 to specify that filter rules specified in the filter rules file are
  inclusive (white list), and 0 to specify that those rules are exclusive
  (black list).
* There is no default.

disabled = [0|1]
* Specifies whether the input is enabled or not.
* Set to 1 to disable the input, and 0 to enable it. 
* Defaults to 0 (enabled).

proc_name = <string>
* This attribute is no longer used.

sysmon.conf.example

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.5 
#
# This file contains an example configuration for monitoring changes
# to the Windows registry. Refer to sysmon.conf.spec for details.
# The following is an example of a registry monitor filter and process monitor filter.
# To create your own filters, modify the values using the information in 
# regmon-filters.conf.spec.
#
# To use one or more of these configurations, copy the configuration block into
# sysmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
# to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at 
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# Define the filter rules file as "regmon-filters.conf" and define the available
# event types "set", "create", "delete", and "rename". The filter rules
# specified in "regmon-filters.conf" are exclusive (black list), which means
# that the regular expressions in that file will be filtered if they match.
[RegistryMonitor]
filter_file_name = regmon-filters
event_types = set.*|create.*|delete.*|rename.*
inclusive = 0
disabled = 0

# Define the filter rules file as "procmon-filters.conf" and define the
# available event types "create", "exit" and "image". The filter rules 
# specified in "procmon-filters.conf" are exclusive (black list), which means
# that the regular expressions in that file will be filtered if they match.
[ProcessMonitor]
filter_file_name = procmon-filters
event_types = create.*|exit.*|image.*
inclusive = 0
disabled = 1
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Sysmonconf"

This documentation applies to the following versions of Splunk: 4.3.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!