Splunk® Enterprise

Getting Data In

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Monitor Windows Registry data

The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows does not run. The Splunk platform supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.

When a program makes a change to a configuration, it writes those changes to the Registry. When the program runs again, it looks into the Registry to read those configurations. You can learn when Windows programs and processes add, update, and delete Registry entries on your system. When a Registry entry changes, the Splunk platform captures the name of the process that made the change, as well as the entire path to the entry being changed.

If you use Splunk Cloud Platform, you must install the universal forwarder on a Windows machine to collect data from the Windows Registry and forward it to your Splunk Cloud Platform deployment.

Reasons to monitor the Registry

Many programs and processes read from and write to it at all times. When something is not functioning, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.

Registry health is very important. The Splunk platform tells you when changes to the Registry are made and also if those changes were successful. If programs and processes can't write to or read from the Registry, a system failure can occur. The Splunk platform can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.

Requirements to monitor the Registry

The following table lists the explicit permissions you need to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.

Activity Required permissions
Monitor the Registry
  • Splunk Enterprise or the universal forwarder must run on Windows.
  • The Splunk platform instance must run as the Local System user, or as a domain user with read access to the Registry hives or keys that you want to monitor.

Performance considerations

When you enable Registry monitoring, you specify which Registry hives to monitor: the user hive, represented as HKEY_USERS in RegEdit, or the machine hive, represented as HKEY_LOCAL_MACHINE. The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes, and security descriptors.

Because the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths can result in a lot of data for the Splunk platform to monitor. To achieve the best performance, filter the amount of Registry data that the platform indexes by configuring the inputs.conf configuration file.

You can capture a baseline snapshot of the current state of your Windows Registry when you first start the Splunk platform, and again every time a specified amount of time has passed. The snapshot lets you compare what the Registry looks like at a certain point in time and provides for easier tracking of the changes to the Registry over time.

The snapshot process can be CPU-intensive, and might take several minutes to complete. You can postpone taking a baseline snapshot until you have narrowed the scope of the Registry entries to those you specifically want the Splunk platform to monitor.

Enable Registry event monitoring using configuration files

Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing. Splunk Registry monitoring can generate hundreds of megabytes of data per day.

Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, inputs.conf. This file must reside in %SPLUNK_HOME%\etc\system\local\ on the machine that runs Registry monitoring.

The inputs.conf file contains the specific regular expressions you create to refine and filter the Registry hive paths you want the Splunk platform to monitor.

Each stanza in the inputs.conf file represents a particular filter whose definition includes:

Attribute Description
proc A regular expression containing the path to the process or processes you want to monitor. Default: .*, or all processes.
hive A regular expression that contains the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
  • There is no direct mapping for HKEY_CURRENT_USER or HKCU because the Registry monitor runs in kernel mode. Use \\REGISTRY\\USER\\.* The period and asterisk at the end are required. Use this mapping to generate events that contain the security identifier (SID) of the logged-in user.
  • As an alternative to using the previously-described mappings, you can specify the user whose Registry keys you want to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the user.
type The subset of event types to monitor. This subset can be one or more of delete, set, create, rename, open, close or query. The values for this attribute must be a subset of the values for event_types that you set in inputs.conf.
baseline Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no.
baseline_interval How much time, in seconds, must have elapsed since the last baseline was taken before the Splunk platform takes another baseline on startup. For example, if you set baseline_interval to 600, then when the Splunk platform starts or restarts, it takes a baseline if the existing baseline is more than 600 seconds old. If no baseline exists, then the Splunk platform takes a baseline immediately. This setting has no effect if you do not also set baseline to 1. The default value is 86,400 seconds (1 day).
disabled Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it.

Enable Registry monitoring in Splunk Web

You can use Splunk Web to configure Windows Registry monitoring on a Splunk Enterprise instance.

Go to the Add New page

You can get there by two routes:

  • Splunk Home
  • Splunk Settings

By Splunk Settings:

  1. Click Settings in the upper right corner of Splunk Web.
  2. Click Data Inputs.
  3. Click Registry monitoring.
  4. Click New to add an input.

By Splunk Home:

  1. Click the Add Data link in Splunk Home.
  2. Click Monitor to monitor Registry data on the local Windows machine.

Select the input source

  1. Locate and select Registry monitoring.
  2. In the Collection Name field, enter a unique name for the input that you will remember.
  3. In the Registry hive field, enter the path to the Registry key that you want the Splunk platform to monitor. If you plan to monitor more than one hive, each hive requires its own separate input.
    If you are not sure of the path, click the Browse button to select the Registry key path that you want the Splunk platform to monitor. The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys display as folders, and values display as document icons. The HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_CURRENT_CONFIG hives display as top-level objects. The HKEY_CLASSES_ROOT hive is not shown because of the number of subkeys present in the first sublevel of that hive. To access HKEY_CLASSES_ROOT items, choose HKEY_LOCAL_MACHINE\Software\Classes.
  4. In the Registry hive window, click the name of the Registry key you want. The qualified key name appears in the Qualified name field at the bottom of the window.
  5. Click Select to confirm the choice and close the window.
  6. (Optional) Select Monitor subnodes if you want to monitor the child nodes below the starting hive.

    The Monitor subnodes node determines what the Splunk platform adds to the inputs.conf file that it creates when you define a Registry monitor input in Splunk Web.

    If you use the tree view to select a key or hive to monitor and check Monitor subnodes, then the Splunk platform adds a regular expression to the stanza for the input you are defining. This regular expression (\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.

    If you do not check Monitor subnodes, then the Splunk platform adds a regular expression to the input stanza which filters out events that do not directly reference the selected key, including events that reference subkeys of the selected key.

    If you do not use the tree view to specify the key you want to monitor, then the Splunk platform adds the regular expression only if you have checked Monitor subnodes and have not entered your own regular expression in the Registry hive field.

  7. Under Event types, select the Registry event types that you want the Splunk platform to monitor for the chosen Registry hive:
    Event Type Description
    Set The Splunk platform generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry entry.
    Create The Splunk platform generates a Create event when a program executes a CreateSubKey method within a Registry hive, creating a new subkey within an existing Registry hive.
    Delete The Splunk platform generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or it removes a key from an existing hive.
    Rename The Splunk platform generates a Rename event when you rename a Registry key or subkey in RegEdit.
    Open The Splunk platform generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry.
    Close The Splunk platform generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window.
    Query The Splunk platform generates a Query event when a program executes the GetValue method on a Registry subkey.
  8. Specify which processes the Splunk platform should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of .* to monitor all processes.
  9. Specity whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.

    The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Registry events within the snapshot retain their original indexing timestamps.

    </caution>Scanning the Registry to set a baseline index is a CPU-intensive process and might take some time.</caution>
  10. Click Next.

Specify input settings

The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.

  1. Select the appropriate Application context for this input.
  2. In the Host field, set the host name value.

    This field only sets the host field in the resulting events. It does not direct the Splunk platform to look on a specific host on your network.

  3. In the Index field, set the index that the Splunk platform should send data to. Leave the value as "default" unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, the Splunk platform has a number of utility indexes, which also appear in this dropdown list box.
  4. Click Review.

Review your choices

After specifying all your input settings, review your selections. The Splunk platform lists all options you selected, including the type of monitor, the source, the source type, the application context, and the index.

  1. Review the settings.
  2. If the settings do not match what you want, click < to go back to the previous step in the wizard.
  3. Click Submit.

The Splunk platform then loads the Success page and begins indexing the specified Registry nodes.

View Registry change data

To view Registry change data that the Splunk platform indexed, go to the Search app and search for events with a source of WinRegistry. An example event, which Group Policy generates when a user logs in to a domain, follows: 

3:03:28.505 PM  
06/19/2011 15:03:28.505
event_status="(0)The operation completed successfully."
pid=340
process_image="c:\WINDOWS\system32\winlogon.exe"
registry_type="SetValue"
key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName"
data_type="REG_SZ"
data="\\ftw.ad.splunk.com"

Each registry monitoring event contains the following attributes:

Setting Description
event_status The result of the registry change attempt. This result will be "(0) The operation completed successfully." If it is not, there might be problems with the Registry that require a restore from a backup.
pid The process ID of the process that attempted to make the Registry change.
process_image The name of the process that attempted to make the Registry change.
registry_type The type of Registry operation that the process_image attempted to invoke.
key_path The Registry key path that the process_image attempted to make a change to.
data_type The type of Registry data that the process_image making the Registry change tried to get or set.
data The data that the process_image making the Registry change tried to read or write.

Get a baseline snapshot

When you enable Registry monitoring, you can record a baseline snapshot of the Registry hives the next time the Splunk platform starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot. By default, if the baseline is more than 24 hours old, when the Splunk platform next starts, it retakes the baseline snapshot. You can customize this value for each of the filters in inputs.conf by setting the value of baseline_interval, in seconds.

When you create a baseline snapshot, the snapshot uses the index time of the Registry data, not the snapshot creation time. For example, if a change to a Registry key occurred two years ago, the timestamp for that event will be two years ago, not when the baseline snapshot was created.

Last modified on 27 October, 2021
Monitor data through Windows Management Instrumentation (WMI)   Monitor Windows performance

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters