TIPS & TRICKS

Splunk Windows Registry Monitor

Splunk By Splunk April 28, 2008

Hey everyone, just wanted to let you know that a preview release of Splunk just left the docks.

http://www.splunk.com/index.php/preview

I want to introduce to you one the latest features for Windows Splunk – the monitoring of Windows registry in real time for activity/events, and the indexing and searching these events with Splunk.

While working on this we had a few challenges:

First, there aren’t any published win32 APIs that does this in user mode. The best that you can do with win32 API is to poll the registry for certain registry key/hives, and you’ll be notified when if the key or subkey of the hive has been changed. Even when you get a notification for a change, you will not be told which key exactly has changed, you’ll have to figure that out yourself .

Second, scalability. You can’t possibly poll all of the registry in user mode for changes. There are simply too many keys to query.

The solution is to write a device driver that hooks to the kernel and intercepts all registry events. The driver bubbles up the events to the user mode for filtering and tagging, and finally pipe them to Splunk for indexing. Obviously, this driver needs to be very stable and reliable, needs to scale to the point where if you want to monitor all of the events in the registry, and it should be able to handle the load.

With this preview release we launched the first version of the splunk-regmon tool. The tool writes events to standard output, and using Splunk’s ExecProcessor(popen). Splunk is able to get these events and send them through the indexing pipeline. A basic filtering is in place, hard coded for now to only monitor registry events related to changes – i.e. Create, Delete, Set, etc. Create type events are represented by “CreateKey” reg_event field, Delete by “DeleteKe” and all of the Set event eg: SetValueKey, are represented by SetKey reg_event field. In our next release this filtering will be configurable.

Drop us a note and let us know what you think of this new feature and any concerns you may have, or ideas of how we can make it better.
How would you use it and how it would be useful to you?

----------------------------------------------------
Thanks!
Ledio Ago

Splunk
Posted by

Splunk