109.27. Windows Registry Monitoring (im_regmon)
This module periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.
Note
|
This module is only available on Windows. |
109.27.1. Configuration
The im_regmon module accepts the following directives in addition to the common module directives. The RegValue directive is required.
- RegValue
-
This mandatory directive specifies the name of the registry entry. It must be a string type expression. Wildcards are also supported. See the File directive of im_file for more details on how wildcarded entries can be specified. More than one occurrence of the RegValue directive can be specified. The path of the registry entry specified with this directive must start with one of the following:
HKCC
,HKU
,HKCU
,HKCR
, orHKLM
.
- 64BitView
-
If set to TRUE, this boolean directive indicates that the 64 bit registry view should be monitored. The default is TRUE.
- Digest
-
This specifies the digest method (hash function) to be used to calculate the checksum. The default is
sha1
. The following message digest methods can be used:md2
,md5
,mdc2
,rmd160
,sha
,sha1
,sha224
,sha256
,sha384
, andsha512
.
- Exclude
-
This directive specifies a single registry path or a set of registry values (using wildcards) to be excluded from the scan. More than one occurrence of the Exclude directive can be used.
- Recursive
-
If set to TRUE, this boolean directive specifies that registry entries set with the RegValue directive should be scanned recursively under subkeys. For example,
HKCU\test\value
will matchHKCU\test\subkey\value
. Wildcards can be used in combination with Recursive:HKCU\test\value*
will matchHKCU\test\subkey\value2
. This directive only causes scanning under the given path:HKCU\*\value
will not matchHKCU\test\subkey\value
. The default is FALSE.
- ScanInterval
-
This directive specifies how frequently, in seconds, the module will check the registry entry or entries for modifications. The default is 86400 (1 day). The value of ScanInterval can be set to
0
to disable periodic scanning and instead invoke scans via the start_scan() procedure.
109.27.2. Procedures
The following procedures are exported by im_regmon.
start_scan();
-
Trigger the Windows registry integrity scan. This procedure returns before the scan is finished.
109.27.3. Fields
The following fields are used by im_regmon.
$raw_event
(type: string)-
A string containing the $EventTime, $Hostname, and other fields.
$Digest
(type: string)-
The calculated digest (checksum) value.
$DigestName
(type: string)-
The name of the digest used to calculate the checksum value (for example,
SHA1
).
$EventTime
(type: datetime)-
The current time.
$EventType
(type: string)-
One of the following values:
CHANGE
orDELETE
.
$Hostname
(type: string)-
The name of the system where the event was generated.
$PrevDigest
(type: string)-
The calculated digest (checksum) value from the previous scan.
$PrevValueSize
(type: integer)-
The size of the registry entry’s value from the previous scan.
$RegistryValueName
(type: string)-
The name of the registry entry where the changes were detected.
$Severity
(type: string)-
The severity name:
WARNING
.
$SeverityValue
(type: integer)-
The WARNING severity level value:
3
.
$ValueSize
(type: integer)-
The size of the registry entry’s value after the modification.
109.27.4. Examples
This example monitors the registry entry recursively, and scans every 10 seconds. Messages generated by any detected changes will be written to file in JSON format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<Extension json>
Module xm_json
</Extension>
<Input regmon>
Module im_regmon
RegValue 'HKCU\Software\nxlog\*'
ScanInterval 10
</Input>
<Output file>
Module om_file
File 'C:\test\regmon.log'
Exec to_json();
</Output>
<Route regmon_to_file>
Path regmon => file
</Route>
The im_regmon module provides a start_scan() procedure that can be called to invoke the scan. The following configuration will trigger the scan every day at midnight.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<Extension json>
Module xm_json
</Extension>
<Input regmon>
Module im_regmon
RegValue 'HKCU\Software\*'
Exclude 'HKCU\Software\nxlog\*'
ScanInterval 0
<Schedule>
When @daily
Exec start_scan();
</Schedule>
</Input>
<Output file>
Module om_file
File 'C:\test\regmon.log'
Exec to_json();
</Output>
<Route dailycheck>
Path regmon => file
</Route>