Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor Windows Registry data

The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows will not run. Splunk supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.

When a program makes a change to a configuration, it writes those changes to the Registry. An example of this is when a program remembers the last positions of open program windows. Later, when the program is run again, it will look into the Registry to read those configurations. You can learn when Registry entries are added, updated, and deleted by programs and processes on your system. When a Registry entry is changed, Splunk captures the name of the process that made the change, as well as the entire path to the entry being changed.

The Windows Registry input monitor runs as a process called splunk-regmon.exe.

Why monitor the Registry?

The Registry is probably the most used, yet least understood component of Windows operation. It gets used constantly, with many different programs reading from and writing to it at all times. When something is not functioning as desired, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.

The Registry's health is also very important. Splunk not only tells you when changes to the Registry are made, but also whether or not those changes were successful. If programs and processes can't write to or read from the Registry, bad things can happen to your Windows system, including a complete failure. Splunk can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.

What's required to monitor the Registry?

The following table lists the explicit permissions needed to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.

Activity: Required permissions:
Monitor the Registry * Splunk must run on Windows
AND
* Splunk must run as either the local system user
OR
* Splunk must run as a domain user with read access to the Registry hives or keys that you want to monitor

Performance considerations

When you install Splunk on a Windows machine and enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as HKEY_USERS in RegEdit) and/or the machine hive (represented as HKEY_LOCAL_MACHINE). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.

Since the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths will likely result in a lot of data for Splunk to monitor. To achieve the best performance, it is recommended to filter the amount of Registry data that Splunk indexes by using regmon-filters.conf.

Similarly, you can capture a baseline - a snapshot of the current state of your Windows Registry - when you first start Splunk, and again every time a specified amount of time has passed. The snapshot allows you to compare what the Registry looks like at a certain point in time, and provides for easier tracking of the changes to the Registry over time.

The snapshot process can be somewhat CPU-intensive, and may take several minutes. You can postpone taking a baseline snapshot until you've edited regmon-filters.conf and narrowed the scope of the Registry entries to those you specifically want Splunk to monitor.

More information on regmon-filters.conf and how to use it to filter incoming Registry events is available in "Filter incoming Registry events" later on this page.

Enable Registry monitoring in Splunk Web

To configure Splunk to monitor the Windows Registry:

1. In Splunk Web, click Manager in the upper right corner.

2. Under "Data", click Data inputs.

3. Click Registry Monitoring.

4. Click New.

5. In the Collection Name field, enter a unique name for this collection.

6. In the Registry hive field, enter the path to the Registry key that you want Splunk to monitor.

7. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk to monitor.

The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.

Note: The HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_CURRENT_CONFIG hives are displayed as top-level objects. The HKEY_CLASSES_ROOT hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access HKEY_CLASSES_ROOT items, choose HKEY_LOCAL_MACHINE\Software\Classes.

8. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.

The key's qualified name appears in the Qualified name field at the bottom of the window.

9. Click Select to confirm the choice and close the window.

10. Select Monitor subnodes if you want Splunk to monitor the child nodes below the starting hive you specified in Steps 6 or 7.

Note: The Monitor subnodes node determines what is added to the regmon-filters.conf file that gets created when you define a Registry monitor input in Splunk Web.

If you use the tree view to select a key or hive to monitor, and Monitor subnodes is checked, then Splunk adds a regular expression (or regex) to the stanza for the input you are defining. This regex (\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.

If Monitor subnodes is not checked, then Splunk adds a regex to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)

If you do not use the tree view to specify the desired key to monitor, then Splunk will add the regex only if Monitor subnodes is checked and you have not entered your own regex in the Registry hive field, as noted in Step 6.

11. Under Event types, select the Registry event types that you want Splunk to monitor for the chosen Registry hive:

Event Type Description
Set Splunk generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry.
Create Splunk generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive.
Delete Splunk generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive.
Rename Splunk generates a Rename event when you rename a Registry key or subkey in RegEdit.
Open Splunk generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry.
Close Splunk generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window.
Query Splunk generates a Query event when a program executes the GetValue method on a Registry subkey.

12. Click the checkbox next to More settings for additional options, or click Save to save the changes to the input. If you want to save the input now without making any additional changes, proceed to Step 16.

13. Tell Splunk which processes Splunk should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of C:\.* to have Splunk monitor all processes.

14. Tell Splunk whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.

Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.

15. Optionally, choose the index you want Splunk to send Registry monitoring events to by selecting the desired index under Index.

16. Click Save.

Splunk enables the input and returns you to the Registry monitoring page.

Note: To disable inputs after they have been enabled, select Disable under the Status column on the "Registry monitoring" page.

Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.

View Registry change data

To view Registry change data that Splunk has indexed, go to the Search app and search for events with a source of WinRegistry. An example event, which is generated by Group Policy when a user logs in to a domain, follows:

3:03:28.505 PM  
06/19/2011 15:03:28.505
event_status="(0)The operation completed successfully."
pid=340
process_image="c:\WINDOWS\system32\winlogon.exe"
registry_type="SetValue"
key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName"
data_type="REG_SZ"
data="\\ftw.ad.splunk.com"

Each registry monitoring event contains:

Attribute Description
event_status The result of the registry change attempt. This should always be "(0) The operation completed successfully.". If it is not, there may be problems with the Registry that might eventually require a restore from a backup.
pid The process ID of the process that attempted to make the Registry change.
process_image The name of the process that attempted to make the Registry change.
registry_type The type of Registry operation that the process_image attempted to invoke.
key_path The Registry key path that the process_image attempted to make a change to.
data_type The type of Registry data that the process_image making the Registry change tried to get or set.
data The data that the process_image making the Registry change tried to read or write.

You can use Splunk's search commands and reporting features to create reports based on the incoming data, or use its alerting features to send alerts if things go wrong.

Filter incoming Registry events

Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing - Splunk Registry monitoring can easily generate hundreds of megabytes of data per day.

Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, regmon-filters.conf. This file needs to reside in $SPLUNK_HOME\etc\system\local\.

regmon-filters.conf contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.

Each stanza in regmon-filters.conf represents a particular filter whose definition includes:

Attribute Description
proc A regular expression containing the path to the process or processes you want to monitor
hive A regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
  • Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as Splunk's Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) will generate events that contain the logged-in user's security identifier (SID).
  • Alternatively, you can specify the user whose Registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user.
type The subset of event types to monitor. Can be one or more of delete, set, create, rename, open, close or query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
baseline Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no.
baseline_interval How long Splunk has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds (1 day).
disabled Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it.

Get a baseline snapshot

When you enable Registry monitoring, you're given the option of recording a baseline snapshot of the Registry hives the next time Splunk starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in regmon-filters.conf by setting the value of baseline_interval This attribute is expressed in seconds.

Change the default Windows Registry input values

Review inputs.conf to see the default values for Windows Registry input. They are also shown below. You would only need to make changes to the default values if, for example, you wanted to increase or decrease the interval between when the Registry monitor scans for new changes, or change the source and/or sourcetype of events generated by the monitor.

Note: The Splunk Registry input monitoring script (splunk-regmon.path) is configured as a scripted input. Do not change this value.

To make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME\etc\system\local\. Provide new values for only the parameters you want to change within the [script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path] stanza. There's no need to edit the other values. For more information about how to work with Splunk configuration files, refer to "About configuration files" in the Admin Manual.

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
interval = 60
sourcetype = WinRegistry
source = WinRegistry
disabled = 0
  • source: labels these events as coming from the Registry.
  • sourcetype: assigns these events as Registry events.
  • interval: specifies how frequently to poll the Registry for changes, in seconds.
  • disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.

Note: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. Regexes with backslashes in them are not currently supported when specifying paths to files.

PREVIOUS
Monitor WMI-based data
  NEXT
Real-time Windows performance monitoring

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters