Splunk® Enterprise

Getting Data In

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Monitor Windows Registry data

The Windows Registry is the central configuration database on a Windows machine. Nearly all Windows processes and third-party programs interact with it. Without a healthy Registry, Windows does not run. Splunk Enterprise supports the capture of Windows Registry settings and lets you monitor changes to the Registry in real time.

When a program makes a change to a configuration, it writes those changes to the Registry. Later, when the program runs again, it looks into the Registry to read those configurations. You can learn when Windows programs and processes add, update, and delete Registry entries on your system. When a Registry entry changes, Splunk Enterprise captures the name of the process that made the change, as well as the entire path to the entry being changed.

The Windows Registry input monitor runs as a process called splunk-regmon.exe.

Why monitor the Registry?

The Registry is probably the most used, yet least understood component of Windows operation. It gets used constantly, with many different programs reading from and writing to it at all times. When something is not functioning as desired, Microsoft often instructs administrators and users alike to make changes to the Registry directly using the RegEdit tool. The ability to capture those edits, and any other changes, in real time is the first step in understanding the importance of the Registry.

The Registry's health is also very important. Splunk Enterprise not only tells you when changes to the Registry are made, but also whether or not those changes were successful. If programs and processes can't write to or read from the Registry, bad things can happen to your Windows system, including a complete failure. Splunk Enterprise can alert you to problems interacting with the Registry so that you can restore it from a backup and keep your system running.

What's required to monitor the Registry?

The following table lists the explicit permissions needed to monitor the Registry. You might need additional permissions based on the Registry keys that you want to monitor.

Activity: Required permissions:
Monitor the Registry * Splunk Enterprise must run on Windows
AND
* Splunk Enterprise must run as either the local system user
OR
* Splunk Enterprise must run as a domain user with read access to the Registry hives or keys that you want to monitor

Performance considerations

When you install Splunk Enterprise on a Windows machine and enable Registry monitoring, you specify which Registry hives to monitor: the user hive (represented as HKEY_USERS in RegEdit) and/or the machine hive (represented as HKEY_LOCAL_MACHINE). The user hive contains user-specific configurations required by Windows and programs, and the machine hive contains configuration information specific to the machine, such as the location of services, drivers, object classes and security descriptors.

Since the Registry plays a central role in the operation of a Windows machine, enabling both Registry paths results in a lot of data for Splunk Enterprise to monitor. To achieve the best performance, Splunk recommends that you filter the amount of Registry data that Splunk Enterprise indexes by configuring inputs.conf.

Similarly, you can capture a baseline - a snapshot of the current state of your Windows Registry - when you first start Splunk, and again every time a specified amount of time has passed. The snapshot allows you to compare what the Registry looks like at a certain point in time, and provides for easier tracking of the changes to the Registry over time.

The snapshot process can be somewhat CPU-intensive, and might take several minutes to complete. You can postpone taking a baseline snapshot until you've edited inputs.conf and narrowed the scope of the Registry entries to those you specifically want Splunk Enterprise to monitor.

More information on inputs.conf and how to use it to filter incoming Registry events is available in "Filter incoming Registry events" later on this page.

Enable Registry monitoring in Splunk Web

To configure Splunk Enterprise to monitor the Windows Registry:

1. In Splunk Web, click Settings in the upper right corner.

2. Under "Data", click Data inputs.

3. Click Registry Monitoring.

4. Click New.

5. In the Collection Name field, enter a unique name for this collection.

6. In the Registry hive field, enter the path to the Registry key that you want Splunk Enterprise to monitor.

7. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk Enterprise to monitor.

The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.

Note: The HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and HKEY_CURRENT_CONFIG hives are displayed as top-level objects. The HKEY_CLASSES_ROOT hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access HKEY_CLASSES_ROOT items, choose HKEY_LOCAL_MACHINE\Software\Classes.

8. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.

The key's qualified name appears in the Qualified name field at the bottom of the window.

9. Click Select to confirm the choice and close the window.

10. Select Monitor subnodes if you want Splunk Enterprise to monitor the child nodes below the starting hive you specified in Steps 6 or 7.

Note: The Monitor subnodes node determines what Splunk Enterprise adds to the inputs.conf file that gets created when you define a Registry monitor input in Splunk Web.

If you use the tree view to select a key or hive to monitor, and Monitor subnodes is checked, then Splunk Enterprise adds a regular expression (or regex) to the stanza for the input you are defining. This regex (\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.

If Monitor subnodes is not checked, then Splunk Enterprise adds a regex to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)

If you do not use the tree view to specify the desired key to monitor, then Splunk Enterprise adds the regex only if you have checked Monitor subnodes have not entered your own regex in the Registry hive field, as noted in Step 6.

11. Under Event types, select the Registry event types that you want Splunk Enterprise to monitor for the chosen Registry hive:

Event Type Description
Set Splunk Enterprise generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry entry.
Create Splunk Enterprise generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive.
Delete Splunk Enterprise generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive.
Rename Splunk Enterprise generates a Rename event when you rename a Registry key or subkey in RegEdit.
Open Splunk Enterprise generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry.
Close Splunk Enterprise generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window.
Query Splunk Enterprise generates a Query event when a program executes the GetValue method on a Registry subkey.

12. Click the checkbox next to More settings for additional options, or click Save to save the changes to the input. If you want to save the input now without making any additional changes, proceed to Step 16.

13. Tell Splunk which processes Splunk Enterprise should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of C:\.* to have Splunk monitor all processes.

14. Tell Splunk Enterprise whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.

Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.

15. Optionally, choose the index you want Splunk Enterprise to send Registry monitoring events to by selecting the desired index under Index.

16. Click Save.

Splunk Enterprise enables the input and returns you to the Registry monitoring page.

Note: To disable inputs after they have been enabled, select Disable under the Status column on the "Registry monitoring" page.

Caution: When the Registry monitor is running, do not stop or kill the splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the splunkd server process from either the Services control panel or the CLI.

View Registry change data

To view Registry change data that Splunk has indexed, go to the Search app and search for events with a source of WinRegistry. An example event, which Group Policy generates when a user logs in to a domain, follows:

3:03:28.505 PM  
06/19/2011 15:03:28.505
event_status="(0)The operation completed successfully."
pid=340
process_image="c:\WINDOWS\system32\winlogon.exe"
registry_type="SetValue"
key_path="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName"
data_type="REG_SZ"
data="\\ftw.ad.splunk.com"

Each registry monitoring event contains:

Attribute Description
event_status The result of the registry change attempt. This should always be "(0) The operation completed successfully.". If it is not, there might be problems with the Registry that might eventually require a restore from a backup.
pid The process ID of the process that attempted to make the Registry change.
process_image The name of the process that attempted to make the Registry change.
registry_type The type of Registry operation that the process_image attempted to invoke.
key_path The Registry key path that the process_image attempted to make a change to.
data_type The type of Registry data that the process_image making the Registry change tried to get or set.
data The data that the process_image making the Registry change tried to read or write.

You can use the Splunk Enterprise search commands and reporting features to create reports based on the incoming data, or use its alerting features to send alerts if things go wrong.

Filter incoming Registry events

Windows Registries generate a great number of events due to their near-constant use. This can cause problems with licensing - Splunk Registry monitoring can easily generate hundreds of megabytes of data per day.

Splunk Windows Registry monitoring uses a configuration file to determine what to monitor on your system, inputs.conf. This file needs to reside in $SPLUNK_HOME\etc\system\local\ on the server that runs Registry monitoring.

inputs.conf contains the specific regular expressions you create to refine and filter the Registry hive paths you want Splunk to monitor.

Each stanza in inputs.conf represents a particular filter whose definition includes:

Attribute Description
proc A regular expression containing the path to the process or processes you want to monitor.
hive A regular expression containing the hive path to the entry or entries you want to monitor. Splunk supports the root key value mappings predefined in Windows:
  • \\REGISTRY\\USER\\ maps to HKEY_USERS or HKU
  • \\REGISTRY\\USER\\_Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE maps to HKEY_LOCAL_MACHINE or HKLM
  • \\REGISTRY\\MACHINE\\SOFTWARE\\Classes maps to HKEY_CLASSES_ROOT or HKCR
  • \\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Hardware Profiles\\Current maps to HKEY_CURRENT_CONFIG or HKCC
  • Note: There is no direct mapping for HKEY_CURRENT_USER or HKCU, as Splunk's Registry monitor runs in kernel mode. However, using \\REGISTRY\\USER\\.* (note the period and asterisk at the end) generates events that contain the logged-in user's security identifier (SID).
  • Alternatively, you can specify the user whose Registry keys you wish to monitor by using \\REGISTRY\\USER\\<SID>, where SID is the SID of the desired user.
type The subset of event types to monitor. Can be one or more of delete, set, create, rename, open, close or query. The values here must be a subset of the values for event_types that you set in sysmon.conf.
baseline Whether or not to capture a baseline snapshot for that particular hive path. Set to 1 for yes, and 0 for no.
baseline_interval How long Splunk Enterprise has to have been down before re-taking the snapshot, in seconds. The default value is 86,400 seconds (1 day).
disabled Whether or not a filter is enabled. Set to 1 to disable the filter, and 0 to enable it.

Get a baseline snapshot

When you enable Registry monitoring, you're given the option of recording a baseline snapshot of the Registry hives the next time Splunk starts. By default, the snapshot covers the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE hives. It also establishes a timeline for when to retake the snapshot; by default, if Splunk Enterprise has been down for more than 24 hours since the last checkpoint, it will retake the baseline snapshot. You can customize this value for each of the filters in inputs.conf by setting the value of baseline_interval This attribute is expressed in seconds.

PREVIOUS
Monitor WMI-based data
  NEXT
Monitor Windows performance in real time

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters