Windows registry - local
You can monitor changes to the Registry on Windows machines with Splunk Enterprise. Whether you want to monitor an entire hive or just one key, regardless of activity - the Splunk Enterprise Registry monitoring service can collect that data and let you search, report, and alert on it.
To get local Windows Registry change data, connect Splunk Enterprise to the Registry:
A. Go to the Add New page
You add an input from the Add New page in Splunk Web. See "How do you want to add data?"
You can get there by two routes:
- Splunk Home
- Splunk Settings
Via Splunk Settings:
1. Click Settings in the upper right-hand corner of Splunk Web.
2. In the Data section of the Settings pop-up, click Data Inputs.
3. Click Registry monitoring.
4. Click the New button to add an input.
Via Splunk Home:
1. Click the Add Data link in Splunk Home.
2. Click Monitor to monitor Registry data on the local Windows machine.
B. Select the input source
1. In the left pane, locate and select Registry monitoring.
2. In the Collection Name field, enter a unique name for the input that you will remember.
3. In the Registry hive field, enter the path to the Registry key that you want Splunk Enterprise to monitor.
4. If you are not sure of the path, click the Browse button to select the Registry key path that you want Splunk Enterprise to monitor.
The Registry hive window opens and displays the Registry in tree view. Hives, keys and subkeys are represented by folders, and values are represented by document icons.
HKEY_USERS, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, and
HKEY_CURRENT_CONFIG hives are displayed as top-level objects. The
HKEY_CLASSES_ROOT hive is not shown, due to the number of subkeys present in the first sublevel of that hive. To access
HKEY_CLASSES_ROOT items, choose
5. In the Registry hive window, choose the desired Registry key by clicking on the name of the key.
The key's qualified name appears in the Qualified name field at the bottom of the window.
6. Click Select to confirm the choice and close the window.
7. Select Monitor subnodes if you want Splunk Enterprise to monitor the child nodes below the starting hive.
Note: The Monitor subnodes node determines what Splunk Enterprise adds to the
inputs.conf file that it creates when you define a Registry monitor input in Splunk Web.
If you use the tree view to select a key or hive to monitor and check Monitor subnodes, then Splunk Enterprise adds a regular expression to the stanza for the input you are defining. This regular expression (
\\\\?.*) filters out events that do not directly reference the selected key or any of its subkeys.
If you do not check Monitor subnodes, then Splunk Enterprise adds a regular expression to the input stanza which filters out events that do not directly reference the selected key (including events that reference subkeys of the selected key.)
If you do not use the tree view to specify the desired key to monitor, then Splunk Enterprise adds the regular expression only if you have checked Monitor subnodes and have not entered your own regular expression in the Registry hive field.
8. Under Event types, select the Registry event types that you want Splunk Enterprise to monitor for the chosen Registry hive:
|Set||Splunk Enterprise generates a Set event when a program executes a SetValue method on a Registry subkey, thus setting a value or overwriting an existing value on an existing Registry entry.|
|Create||Splunk Enterprise generates a Create event when a program executes a CreateSubKey method within a Registry hive, thus creating a new subkey within an existing Registry hive.|
|Delete||Splunk Enterprise generates a Delete event when a program executes a DeleteValue or DeleteSubKey method. This method either removes a value for a specific existing key, or removes a key from an existing hive.|
|Rename||Splunk Enterprise generates a Rename event when you rename a Registry key or subkey in RegEdit.|
|Open||Splunk Enterprise generates an Open event when a program executes an OpenSubKey method on a Registry subkey, such as what happens when a program needs configuration information contained in the Registry.|
|Close||Splunk Enterprise generates a Close event when a program executes a Close method on a Registry key. This happens when a program is done reading the contents of a key, or after you make a change to a key's value in RegEdit and exit the value entry window.|
|Query||Splunk Enterprise generates a Query event when a program executes the GetValue method on a Registry subkey.|
9. Tell Splunk which processes Splunk Enterprise should monitor for changes to the Registry by entering appropriate values in the Process Path field. Or, leave the default of
C:\.* to monitor all processes.
10. Tell Splunk Enterprise whether or not you want to take a baseline snapshot of the whole Registry before monitoring Registry changes. To set a baseline, click Yes under Baseline index.
Note: The baseline snapshot is an index of your entire Registry, at the time the snapshot is taken. Scanning the Registry to set a baseline index is a CPU-intensive process and may take some time.
11. Click the green Next button.
C. Specify input settings
The Input Settings page lets you specify application context, default host value, and index. All of these parameters are optional.
1. Select the appropriate Application context for this input.
2. Set the Host name value. You have several choices for this setting. Learn more about setting the host value in "About hosts".
- Note: Host only sets the host field in the resulting events. It does not direct Splunk Enterprise to look on a specific host on your network.
3. Set the Index that Splunk Enterprise should send data to. Leave the value as "default", unless you have defined multiple indexes to handle different types of events. In addition to indexes for user data, Splunk Enterprise has a number of utility indexes, which also appear in this dropdown box.
4. Click the green Review button.
D. Review your choices
After specifying all your input settings, you can review your selections. Splunk Enterprise lists all options you selected, including but not limited to the type of monitor, the source, the source type, the application context, and the index.
Review the settings. If they do not match what you want, click the white < button to go back to the previous step in the wizard. Otherwise, click the green Submit button.
Splunk Enterprise then loads the "Success" page and begins indexing the specified Registry nodes.
Caution: When the Registry monitor runs, do not stop or kill the
splunk-regmon.exe process manually. Doing so can result in system instability. To stop the Registry monitor, stop the
splunkd server process from either the Services control panel or the CLI.
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0