
Windows registry - local
You can monitor changes to the Registry on Windows machines with Splunk. Whether it's an entire hive or just one key, whether it's an add, change, delete or even just a read - Splunk's Registry monitoring service can collect that data and allow you to search, report and alert on it.
To get local Windows registry change data, attach Splunk to your registry:
1. From the Home page in Splunk Web, click Add data.
2. Under the To get started... banner, click Windows registry.
3. Choose Next under Windows Registry data on this Splunk server.
4. Click New.
5. On the next page, type in a name that you'll remember in the Collection Name field.
6. Click the Browse... button next to the Registry hive field to select a hive path to monitor.
7. When the tree view appears, select the hive or key that you want to monitor by clicking on the folder or document icons within the tree view.
For example, if you want to monitor the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Registry path, in the tree view window, click once on HKEY_LOCAL_MACHINE
to expand it, then SYSTEM
in the expanded list, then CurrentControlSet
, and finally Control
. The selected Registry path always appears in the Qualified Name field at the bottom of the window.
8. Once you have chosen the desired hive or key to monitor, click Select.
9. Select the Monitor subnodes checkbox if you want Splunk to monitor all Registry key paths below the hive or node that you selected in Step 7.
Note: Be sure to read information about filtering incoming Registry events below.
10. Choose up to 7 Registry event types that you want Splunk to monitor by selecting the checkboxes beside the desired events.
Note: More information on these event types can be found in "Enable Registry monitoring in Splunk Web" in this manual.
You can usually leave the other fields unchanged, including the fields under the More settings option.
11. Click Save.
12. You'll be returned to the Registry Monitoring page. From here, you can add new Registry monitoring inputs, or click Back to Home in the upper left corner of the screen to either search through your incoming data.
Windows Registry monitoring inputs generate a lot of data. To learn how to filter that data, or for additional information about the Registry monitor inputs, review "Monitor Windows registry data" in this manual.
PREVIOUS Windows event logs - many remote |
NEXT Windows registry - remote |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
Feedback submitted, thanks!