Monitor Windows Registry data

The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows does not run. Splunk Enterprise supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.

When a program makes a change to a configuration, it writes those changes to the Registry. Later, when the program runs again, it looks into the Registry to read those configurations. You can learn when Windows programs and processes add, update, and delete Registry entries on your system. When a Registry entry changes, Splunk Enterprise captures the name of the process that made the change, as well as the entire path to the entry being changed.

The Windows Registry input monitor runs as a process called splunk-regmon.exe.

Why monitor the Registry?

The Registry is probably the most used, yet least understood component of Windows operation. It gets used constantly, with many different programs reading from and writing to it at all times. When something is not functioning as desired, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.

The Registry's health is also very important. Splunk Enterprise not only tells you when changes to the Registry are made, but also whether or not those changes were successful. If programs and processes can't write to or read from the Registry, bad things can happen to your Windows system, including a complete failure. Splunk Enterprise can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.

What's required to monitor the Registry?

The following table lists the explicit permissions needed to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.

Performance considerations

When you install Splunk Enterprise on a Windows machine and enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as HKEY_USERS in RegEdit) and/or the machine hive (represented as HKEY_LOCAL_MACHINE). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.

Since the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths results in a lot of data for Splunk Enterprise to monitor. To achieve the best performance, Splunk recommends that you filter the amount of Registry data that Splunk Enterprise indexes by configuring inputs.conf.

Similarly, you can capture a baseline - a snapshot of the current state of your Windows Registry - when you first start Splunk, and again every time a specified amount of time has passed. The snapshot allows you to compare what the Registry looks like at a certain point in time, and provides for easier tracking of the changes to the Registry over time.

The snapshot process can be somewhat CPU-intensive, and might take several minutes to complete. You can postpone taking a baseline snapshot until you've edited inputs.conf and narrowed the scope of the Registry entries to those you specifically want Splunk Enterprise to monitor.

More information on inputs.conf and how to use it to filter incoming Registry events is available in "Filter incoming Registry events" later on this page.

Enable Registry monitoring in Splunk Web

To configure Splunk Enterprise to monitor the Windows Registry:

1. In Splunk Web, click Settings in the upper right corner.

2. Under "Data", click Data inputs.

3. Click Registry Monitoring.

4. Click New.

5. In the Collection Name field, enter a unique name for this collection.

6. In the Registry hive field, enter the path to the Registry key that you want Splunk Enterprise to monitor.

7. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk Enterprise to monitor.

The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.

Note: The HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_CURRENT_CONFIG hives are displayed as top-level objects. The HKEY_CLASSES_ROOT hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access HKEY_CLASSES_ROOT items, choose HKEY_LOCAL_MACHINE\Software\Classes.

8. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.

The key's qualified name appears in the Qualified name field at the bottom of the window.

9. Click Select to confirm the choice and close the window.

10. Select Monitor subnodes if you want Splunk Enterprise to monitor the child nodes below the starting hive you specified in Steps 6 or 7.

Note: The Monitor subnodes node determines what Splunk Enterprise adds to the inputs.conf file that gets created when you define a Registry monitor input in Splunk Web.

If you use the tree view to select a key or hive to monitor, and Monitor subnodes is checked, then Splunk Enterprise adds a regular expression (or regex) to the stanza for the input you are defining. This regex (\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.

If Monitor subnodes is not checked, then Splunk Enterprise adds a regex to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)

If you do not use the tree view to specify the desired key to monitor, then Splunk Enterprise adds the regex only if you have checked Monitor subnodes have not entered your own regex in the Registry hive field, as noted in Step 6.

11. Under Event types, select the Registry event types that you want Splunk Enterprise to monitor for the chosen Registry hive:

12. Click the checkbox next to More settings for additional options, or click Save to save the changes to the input. If you want to save the input now without making any additional changes, proceed to Step 16.

13. Tell Splunk which processes Splunk Enterprise should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of C:\.* to have Splunk monitor all processes.

14. Tell Splunk Enterprise whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.

Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.

15. Optionally, choose the index you want Splunk Enterprise to send Registry monitoring events to by selecting the desired index under Index.

16. Click Save.

Splunk Enterprise enables the input and returns you to the Registry monitoring page.

Note: To disable inputs after they have been enabled, select Disable under the Status column on the "Registry monitoring" page.

Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.

View Registry change data

To view Registry change data that Splunk has indexed, go to the Search app and search for events with a source of WinRegistry. An example event, which Group Policy generates when a user logs in to a domain, follows:

3:03:28.505 PM  
06/19/2011 15:03:28.505
event_status="(0)The operation completed successfully."
pid=340
process_image="c:\WINDOWS\system32\winlogon.exe"
registry_type="SetValue"
key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName"
data_type="REG_SZ"
data="\\ftw.ad.splunk.com"

Each registry monitoring event contains:

You can use the Splunk Enterprise search commands and reporting features to create reports based on the incoming data, or use its alerting features to send alerts if things go wrong.

Filter incoming Registry events

Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing - Splunk Registry monitoring can easily generate hundreds of megabytes of data per day.

Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, inputs.conf. This file needs to reside in $SPLUNK_HOME\etc\system\local\ on the server that runs Registry monitoring.

inputs.conf contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.

Each stanza in inputs.conf represents a particular filter whose definition includes:

Get a baseline snapshot

When you enable Registry monitoring, you're given the option of recording a baseline snapshot of the Registry hives the next time Splunk starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk Enterprise has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in inputs.conf by setting the value of baseline_interval This attribute is expressed in seconds.