The following are the spec and example files for sysmon.conf.
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.5 # # This file contains possible attribute/value pairs for configuring # Registry monitoring on a Windows system, including global settings # for which event types (adds, deletes, renames, and so on) to monitor, # which regular expression filters from the filter rules file # (normally regmon-filters.conf) to use, and whether or not Windows # Registry events are monitored at all. # # This file is used in conjunction with regmon-filters.conf, or a file # that you reference in the "filter_file_name" attribute below. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [<stanza name>] * Defaults to [RegistryMonitor] * Follow this stanza name with the following attribute/value pairs. filter_file_name = <string> * This attribute references the name of the file where filters for this monitor are stored. * For example, setting this attribute to "hklm_filters" will cause splunk-regmon.exe to look in "hklm_filters.conf" for filter rules for this input. * Splunk-regmon.exe will read the contents of regmon-filters.conf if this attribute is not present. event_types = <string> * A regular expression string that specifies the type(s) of Registry events to monitor. * Regular expressions specified in this attribute can begin with one or more of the following strings: set, create, delete, rename, open, close, query. * When specifying multiple event type strings for this attribute, the individual event type elements must be separated by the pipe character ("|"). inclusive = [0|1] * Specifies whether the rules specified in the filter rules file are inclusive (a white list) or exclusive (a black list). * This attribute is required, and splunk-regmon.exe will not run for this input if the attribute is not present. * Set to 1 to specify that filter rules specified in the filter rules file are inclusive (white list), and 0 to specify that those rules are exclusive (black list). * There is no default. disabled = [0|1] * Specifies whether the input is enabled or not. * Set to 1 to disable the input, and 0 to enable it. * Defaults to 0 (enabled). proc_name = <string> * This attribute is no longer used.
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.5 # # This file contains an example configuration for monitoring changes # to the Windows registry. Refer to sysmon.conf.spec for details. # The following is an example of a registry monitor filter and process monitor filter. # To create your own filters, modify the values using the information in # regmon-filters.conf.spec. # # To use one or more of these configurations, copy the configuration block into # sysmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk # to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # Define the filter rules file as "regmon-filters.conf" and define the available # event types "set", "create", "delete", and "rename". The filter rules # specified in "regmon-filters.conf" are exclusive (black list), which means # that the regular expressions in that file will be filtered if they match. [RegistryMonitor] filter_file_name = regmon-filters event_types = set.*|create.*|delete.*|rename.* inclusive = 0 disabled = 0 # Define the filter rules file as "procmon-filters.conf" and define the # available event types "create", "exit" and "image". The filter rules # specified in "procmon-filters.conf" are exclusive (black list), which means # that the regular expressions in that file will be filtered if they match. [ProcessMonitor] filter_file_name = procmon-filters event_types = create.*|exit.*|image.* inclusive = 0 disabled = 1
This documentation applies to the following versions of Splunk® Enterprise: 4.3