Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

sysmon.conf

The following are the spec and example files for sysmon.conf.

sysmon.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.5 
#
# This file contains possible attribute/value pairs for configuring 
# Registry monitoring on a Windows system, including global settings 
# for which event types (adds, deletes, renames, and so on) to monitor,
# which regular expression filters from the filter rules file 
# (normally regmon-filters.conf) to use, and whether or not Windows
# Registry events are monitored at all.
#
# This file is used in conjunction with regmon-filters.conf, or a file
# that you reference in the "filter_file_name" attribute below.
# You must restart Splunk to enable configurations. 
#
# To learn more about configuration files (including precedence) please see the
# documentation located at 
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[<stanza name>]
* Defaults to [RegistryMonitor]
* Follow this stanza name with the following attribute/value pairs.

filter_file_name = <string>
* This attribute references the name of the file where filters for this monitor
  are stored.
* For example, setting this attribute to "hklm_filters" will cause
  splunk-regmon.exe to look in "hklm_filters.conf" for filter rules for
  this input.
* Splunk-regmon.exe will read the contents of regmon-filters.conf if this
  attribute is not present.

event_types = <string>
* A regular expression string that specifies the type(s) of Registry events to
  monitor.
* Regular expressions specified in this attribute can begin with one or more of
  the following strings: set, create, delete, rename, open, close, query.
* When specifying multiple event type strings for this attribute, the
  individual event type elements must be separated by the pipe character ("|").

inclusive = [0|1]
* Specifies whether the rules specified in the filter rules file are inclusive
  (a white list) or exclusive (a black list).
* This attribute is required, and splunk-regmon.exe will not run for this
  input if the attribute is not present.
* Set to 1 to specify that filter rules specified in the filter rules file are
  inclusive (white list), and 0 to specify that those rules are exclusive
  (black list).
* There is no default.

disabled = [0|1]
* Specifies whether the input is enabled or not.
* Set to 1 to disable the input, and 0 to enable it. 
* Defaults to 0 (enabled).

proc_name = <string>
* This attribute is no longer used.

sysmon.conf.example

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.2.5 
#
# This file contains an example configuration for monitoring changes
# to the Windows registry. Refer to sysmon.conf.spec for details.
# The following is an example of a registry monitor filter and process monitor filter.
# To create your own filters, modify the values using the information in 
# regmon-filters.conf.spec.
#
# To use one or more of these configurations, copy the configuration block into
# sysmon-filters.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk
# to enable configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at 
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# Define the filter rules file as "regmon-filters.conf" and define the available
# event types "set", "create", "delete", and "rename". The filter rules
# specified in "regmon-filters.conf" are exclusive (black list), which means
# that the regular expressions in that file will be filtered if they match.
[RegistryMonitor]
filter_file_name = regmon-filters
event_types = set.*|create.*|delete.*|rename.*
inclusive = 0
disabled = 0

# Define the filter rules file as "procmon-filters.conf" and define the
# available event types "create", "exit" and "image". The filter rules 
# specified in "procmon-filters.conf" are exclusive (black list), which means
# that the regular expressions in that file will be filtered if they match.
[ProcessMonitor]
filter_file_name = procmon-filters
event_types = create.*|exit.*|image.*
inclusive = 0
disabled = 1


PREVIOUS
splunk-launch.conf
  NEXT
tags.conf

This documentation applies to the following versions of Splunk® Enterprise: 4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters