Return to
Portfolio

109.27. Windows Registry Monitoring (im_regmon)

This module periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.

Note
This module is only available on Windows.

109.27.1. Configuration

The im_regmon module accepts the following directives in addition to the common module directives. The RegValue directive is required.

RegValue

This mandatory directive specifies the name of the registry entry. It must be a string type expression. Wildcards are also supported. See the File directive of im_file for more details on how wildcarded entries can be specified. More than one occurrence of the RegValue directive can be specified. The path of the registry entry specified with this directive must start with one of the following: HKCC, HKU, HKCU, HKCR, or HKLM.


64BitView

If set to TRUE, this boolean directive indicates that the 64 bit registry view should be monitored. The default is TRUE.

Digest

This specifies the digest method (hash function) to be used to calculate the checksum. The default is sha1. The following message digest methods can be used: md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384, and sha512.

Exclude

This directive specifies a single registry path or a set of registry values (using wildcards) to be excluded from the scan. More than one occurrence of the Exclude directive can be used.

Recursive

If set to TRUE, this boolean directive specifies that registry entries set with the RegValue directive should be scanned recursively under subkeys. For example, HKCU\test\value will match HKCU\test\subkey\value. Wildcards can be used in combination with Recursive: HKCU\test\value* will match HKCU\test\subkey\value2. This directive only causes scanning under the given path: HKCU\*\value will not match HKCU\test\subkey\value. The default is FALSE.

ScanInterval

This directive specifies how frequently, in seconds, the module will check the registry entry or entries for modifications. The default is 86400 (1 day). The value of ScanInterval can be set to 0 to disable periodic scanning and instead invoke scans via the start_scan() procedure.

109.27.2. Procedures

The following procedures are exported by im_regmon.

start_scan();

Trigger the Windows registry integrity scan. This procedure returns before the scan is finished.

109.27.3. Fields

The following fields are used by im_regmon.

$raw_event (type: string)

A string containing the $EventTime, $Hostname, and other fields.

$Digest (type: string)

The calculated digest (checksum) value.

$DigestName (type: string)

The name of the digest used to calculate the checksum value (for example, SHA1).

$EventTime (type: datetime)

The current time.

$EventType (type: string)

One of the following values: CHANGE or DELETE.

$Hostname (type: string)

The name of the system where the event was generated.

$PrevDigest (type: string)

The calculated digest (checksum) value from the previous scan.

$PrevValueSize (type: integer)

The size of the registry entry’s value from the previous scan.

$RegistryValueName (type: string)

The name of the registry entry where the changes were detected.

$Severity (type: string)

The severity name: WARNING.

$SeverityValue (type: integer)

The WARNING severity level value: 3.

$ValueSize (type: integer)

The size of the registry entry’s value after the modification.

109.27.4. Examples

Example 565. Periodic Registry Monitoring

This example monitors the registry entry recursively, and scans every 10 seconds. Messages generated by any detected changes will be written to file in JSON format.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<Extension json>
    Module          xm_json
</Extension>

<Input regmon>
    Module          im_regmon
    RegValue        'HKCU\Software\nxlog\*'
    ScanInterval    10
</Input>

<Output file>
    Module          om_file
    File            'C:\test\regmon.log'
    Exec            to_json();
</Output>

<Route regmon_to_file>
    Path            regmon => file
</Route>
Example 566. Scheduled Registry Scan

The im_regmon module provides a start_scan() procedure that can be called to invoke the scan. The following configuration will trigger the scan every day at midnight.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<Extension json>
    Module          xm_json
</Extension>

<Input regmon>
    Module          im_regmon
    RegValue        'HKCU\Software\*'
    Exclude         'HKCU\Software\nxlog\*'
    ScanInterval    0
    <Schedule>
        When    @daily
        Exec    start_scan();
    </Schedule>
</Input>

<Output file>
    Module          om_file
    File            'C:\test\regmon.log'
    Exec            to_json();
</Output>

<Route dailycheck>
    Path            regmon => file
</Route>