
Monitor Windows Registry data
The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows does not run. Splunk Enterprise supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.
When a program makes a change to a configuration, it writes those changes to the Registry. Later, when the program runs again, it looks into the Registry to read those configurations. You can learn when Windows programs and processes add, update, and delete Registry entries on your system. When a Registry entry changes, Splunk Enterprise captures the name of the process that made the change, as well as the entire path to the entry being changed.
The Windows Registry input monitor runs as a process called splunk-regmon.exe
.
Why monitor the Registry?
The Registry is probably the most used, yet least understood component of Windows operation. It gets used constantly, with many different programs reading from and writing to it at all times. When something is not functioning as desired, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.
The Registry's health is also very important. Splunk Enterprise not only tells you when changes to the Registry are made, but also whether or not those changes were successful. If programs and processes can't write to or read from the Registry, bad things can happen to your Windows system, including a complete failure. Splunk Enterprise can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.
What's required to monitor the Registry?
The following table lists the explicit permissions needed to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.
Activity: | Required permissions: |
---|---|
Monitor the Registry | * Splunk Enterprise must run on Windows AND * Splunk Enterprise must run as either the local system user OR * Splunk Enterprise must run as a domain user with read access to the Registry hives or keys that you want to monitor |
Performance considerations
When you install Splunk Enterprise on a Windows machine and enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as HKEY_USERS
in RegEdit) and/or the machine hive (represented as HKEY_LOCAL_MACHINE
). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.
Since the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths results in a lot of data for Splunk Enterprise to monitor. To achieve the best performance, Splunk recommends that you filter the amount of Registry data that Splunk Enterprise indexes by configuring inputs.conf
.
Similarly, you can capture a baseline - a snapshot of the current state of your Windows Registry - when you first start Splunk, and again every time a specified amount of time has passed. The snapshot allows you to compare what the Registry looks like at a certain point in time, and provides for easier tracking of the changes to the Registry over time.
The snapshot process can be somewhat CPU-intensive, and might take several minutes to complete. You can postpone taking a baseline snapshot until you've edited inputs.conf
and narrowed the scope of the Registry entries to those you specifically want Splunk Enterprise to monitor.
More information on inputs.conf
and how to use it to filter incoming Registry events is available in "Filter incoming Registry events" later on this page.
Enable Registry monitoring in Splunk Web
To configure Splunk Enterprise to monitor the Windows Registry:
1. In Splunk Web, click Settings in the upper right corner.
2. Under "Data", click Data inputs.
3. Click Registry Monitoring.
4. Click New.
5. In the Collection Name field, enter a unique name for this collection.
6. In the Registry hive field, enter the path to the Registry key that you want Splunk Enterprise to monitor.
7. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk Enterprise to monitor.
The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.
Note: The HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE,
and HKEY_CURRENT_CONFIG
hives are displayed as top-level objects. The HKEY_CLASSES_ROOT
hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access HKEY_CLASSES_ROOT
items, choose HKEY_LOCAL_MACHINE\Software\Classes
.
8. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.
The key's qualified name appears in the Qualified name field at the bottom of the window.
9. Click Select to confirm the choice and close the window.
10. Select Monitor subnodes if you want Splunk Enterprise to monitor the child nodes below the starting hive you specified in Steps 6 or 7.
Note: The Monitor subnodes node determines what Splunk Enterprise adds to the inputs.conf
file that gets created when you define a Registry monitor input in Splunk Web.
If you use the tree view to select a key or hive to monitor, and Monitor subnodes is checked, then Splunk Enterprise adds a regular expression (or regex) to the stanza for the input you are defining. This regex (\\\\?.*
) filters out events that do not directly reference the selected key or any of its subkeys.
If Monitor subnodes is not checked, then Splunk Enterprise adds a regex to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)
If you do not use the tree view to specify the desired key to monitor, then Splunk Enterprise adds the regex only if you have checked Monitor subnodes have not entered your own regex in the Registry hive field, as noted in Step 6.
11. Under Event types, select the Registry event types that you want Splunk Enterprise to monitor for the chosen Registry hive:
Event Type | Description |
---|---|
Set | Splunk Enterprise generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry entry. |
Create | Splunk Enterprise generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive. |
Delete | Splunk Enterprise generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive. |
Rename | Splunk Enterprise generates a Rename event when you rename a Registry key or subkey in RegEdit. |
Open | Splunk Enterprise generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry. |
Close | Splunk Enterprise generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window. |
Query | Splunk Enterprise generates a Query event when a program executes the GetValue method on a Registry subkey. |
12. Click the checkbox next to More settings for additional options, or click Save to save the changes to the input. If you want to save the input now without making any additional changes, proceed to Step 16.
13. Tell Splunk which processes Splunk Enterprise should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of C:\.*
to have Splunk monitor all processes.
14. Tell Splunk Enterprise whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.
Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.
15. Optionally, choose the index you want Splunk Enterprise to send Registry monitoring events to by selecting the desired index under Index.
16. Click Save.
Splunk Enterprise enables the input and returns you to the Registry monitoring page.
Note: To disable inputs after they have been enabled, select Disable under the Status column on the "Registry monitoring" page.
Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe
process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd
server process from either the Services control panel or the CLI.
View Registry change data
To view Registry change data that Splunk has indexed, go to the Search app and search for events with a source of WinRegistry
. An example event, which Group Policy generates when a user logs in to a domain, follows:
3:03:28.505 PM 06/19/2011 15:03:28.505 event_status="(0)The operation completed successfully." pid=340 process_image="c:\WINDOWS\system32\winlogon.exe" registry_type="SetValue" key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName" data_type="REG_SZ" data="\\ftw.ad.splunk.com"
Each registry monitoring event contains:
Attribute | Description |
---|---|
event_status
|
The result of the registry change attempt. This should always be "(0) The operation completed successfully. ". If it is not, there might be problems with the Registry that might eventually require a restore from a backup.
|
pid
|
The process ID of the process that attempted to make the Registry change. |
process_image
|
The name of the process that attempted to make the Registry change. |
registry_type
|
The type of Registry operation that the process_image attempted to invoke.
|
key_path
|
The Registry key path that the process_image attempted to make a change to.
|
data_type
|
The type of Registry data that the process_image making the Registry change tried to get or set.
|
data
|
The data that the process_image making the Registry change tried to read or write.
|
You can use the Splunk Enterprise search commands and reporting features to create reports based on the incoming data, or use its alerting features to send alerts if things go wrong.
Filter incoming Registry events
Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing - Splunk Registry monitoring can easily generate hundreds of megabytes of data per day.
Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, inputs.conf. This file needs to reside in $SPLUNK_HOME\etc\system\local\
on the server that runs Registry monitoring.
inputs.conf
contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.
Each stanza in inputs.conf
represents a particular filter whose definition includes:
Attribute | Description |
---|---|
proc
|
A regular expression containing the path to the process or processes you want to monitor. |
hive
|
A regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
|
type
|
The subset of event types to monitor. Can be one or more of delete, set, create, rename, open, close or query . The values here must be a subset of the values for event_types that you set in sysmon.conf .
|
baseline
|
Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no. |
baseline_interval
|
How long Splunk Enterprise has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds (1 day). |
disabled
|
Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it. |
Get a baseline snapshot
When you enable Registry monitoring, you're given the option of recording a baseline snapshot of the Registry hives the next time Splunk starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk Enterprise has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in inputs.conf
by setting the value of baseline_interval
This attribute is expressed in seconds.
PREVIOUS Monitor WMI-based data |
NEXT Monitor Windows performance in real time |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
Feedback submitted, thanks!