Hello
I have looked through various splunk answers and could not find an answer specific to my question so I hope this is not a duplicate, if it is please direct me to the appropriate post.
We are running on Splunk Enterprise 6.3.3, as well as our UFs (we will be upgrading shortly to the new version 6.5 launched at conf - awesome conf this year, really enjoyed it).
I am trying to pull in specific hives from the Windows registry data, this is what I am deploying to my UF as the default inputs.conf for the app:
[WinRegMon://HKLM] index = my_index sourcetype = my_sourcetype source = my_source disabled = 0 hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\\?.* proc = .\* type = set|create|delete|rename baseline = 1 baseline_interval = 120 interval=120
When the app is deployed for the first time I am getting the registry data being pulled into splunk so the config work. Where I am getting stuck is that the UF does not honor the baseline_interval parameter. According to the documentation this setting specifies, in seconds, the period length of when it needs to take another baseline snapshot on, given that the baseline=1. For example, according to my understanding, if the baseline_interal=120 and baseline=1, Splunk is suppose to pull in the entire specified hive every two minutes.
If someone could assist in why Splunk is not honoring the baseline_interval or the more plausible problem, where I am doing something wrong, it would be greatly appreciated. Thank you.
Link to the documentation that I referenced: http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/MonitorWindowsregistrydata
I have looked through various splunk answers and could not find an answer specific to my question so I hope this is not a duplicate, if it is please direct me to the appropriate post.
We are running on Splunk Enterprise 6.3.3, as well as our UFs (we will be upgrading shortly to the new version 6.5 launched at conf - awesome conf this year, really enjoyed it).
I am trying to pull in specific hives from the Windows registry data, this is what I am deploying to my UF as the default inputs.conf for the app:
[WinRegMon://HKLM] index = my_index sourcetype = my_sourcetype source = my_source disabled = 0 hive = HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\\\\?.* proc = .\* type = set|create|delete|rename baseline = 1 baseline_interval = 120 interval=120
When the app is deployed for the first time I am getting the registry data being pulled into splunk so the config work. Where I am getting stuck is that the UF does not honor the baseline_interval parameter. According to the documentation this setting specifies, in seconds, the period length of when it needs to take another baseline snapshot on, given that the baseline=1. For example, according to my understanding, if the baseline_interal=120 and baseline=1, Splunk is suppose to pull in the entire specified hive every two minutes.
If someone could assist in why Splunk is not honoring the baseline_interval or the more plausible problem, where I am doing something wrong, it would be greatly appreciated. Thank you.
Link to the documentation that I referenced: http://docs.splunk.com/Documentation/Splunk/6.3.3/Data/MonitorWindowsregistrydata