Windows Registry Monitoring (im_regmon)

This module periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.

This module is only available on Windows.
To examine the supported platforms, see the list of installation packages.

Configuration

The im_regmon module accepts the following directives in addition to the common module directives. The RegValue directive is required.

Required directives

The following directives are required for the module to start.

RegValue

This mandatory directive specifies the name of the registry entry. It must be a string type expression. Wildcards are also supported. See the File directive of im_file for more details on how wildcarded entries can be specified. More than one occurrence of the RegValue directive can be specified. The path of the registry entry specified with this directive must start with one of the following: HKCC, HKU, HKCU, HKCR, or HKLM.

The user running NXLog Agent must have at least read permission on the specified keys. If NXLog Agent is running as a service, then the user the service is running as must have the appropriate permissions applied to it. Refer to the Microsoft documentation on how to change registry values or permissions from a command line or a script. Permissions can also be applied from the Windows Registry user interface, see the How to apply permissions to a Windows registry key article in the Sophos documentation.
The Microsoft PsExec tool can be used to run the Windows Registry interactively as the System account to change the necessary permissions.

Optional directives

64BitView

If set to TRUE, this boolean directive indicates that the 64-bit registry view should be monitored. The default is TRUE.

Digest

This specifies the digest method (hash function) to be used to calculate the checksum. The default is sha1. The following message digest methods can be used: md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384, and sha512.

Exclude

This directive specifies a single registry path or a set of registry values (using wildcards) to be excluded from the scan. More than one occurrence of the Exclude directive can be used.

Recursive

If set to TRUE, this boolean directive specifies that registry entries set with the RegValue directive should be scanned recursively under subkeys. For example, HKCU\test\value will match HKCU\test\subkey\value. Wildcards can be used in combination with Recursive: HKCU\test\value* will match HKCU\test\subkey\value2. This directive only causes scanning under the given path: HKCU\*\value will not match HKCU\test\subkey\value. The default is FALSE.

ScanInterval

This directive specifies how frequently, in seconds, the module will check the registry entry or entries for modifications. The default is 86400 (1 day). The value of ScanInterval can be set to 0 to disable periodic scanning and instead invoke scans via the start_scan() procedure.

Procedures

The following procedures are exported by im_regmon.

start_scan();

Trigger the Windows registry integrity scan. This procedure returns before the scan is finished.

Fields

The following fields are used by im_regmon.

$raw_event (type: string)

A list of event fields in key-value pairs.

$Digest (type: string)

The calculated digest (checksum) value.

$DigestName (type: string)

The name of the digest used to calculate the checksum value (for example, SHA1).

$EventTime (type: datetime)

The current time.

$EventType (type: string)

One of the following values: CHANGE or DELETE.

$Hostname (type: string)

The name of the system where the event was generated.

$PrevDigest (type: string)

The calculated digest (checksum) value from the previous scan.

$PrevValueSize (type: integer)

The size of the registry entry’s value from the previous scan.

$RegistryValueName (type: string)

The name of the registry entry where the changes were detected.

$Severity (type: string)

The severity name: WARNING.

$SeverityValue (type: integer)

The WARNING severity level value: 3.

$ValueSize (type: integer)

The size of the registry entry’s value after the modification.

Examples

Example 1. Periodic registry monitoring

This example monitors the registry entry recursively and scans every 10 seconds. Messages generated by any detected changes will be written to file in JSON format.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Input regmon>
    Module          im_regmon
    RegValue        'HKLM\Software\Policies\*'
    ScanInterval    10
</Input>

<Output file>
    Module          om_file
    File            'C:\test\regmon.log'
    Exec            to_json();
</Output>

<Route regmon_to_file>
    Path            regmon => file
</Route>
Example 2. Scheduled registry scan

The im_regmon module provides a start_scan() procedure that can be called to invoke the scan. The following configuration will trigger the scan every day at midnight.

nxlog.conf
<Extension json>
    Module          xm_json
</Extension>

<Input regmon>
    Module          im_regmon
    RegValue        'HKLM\Software\*'
    Exclude         'HKLM\Software\Program Groups\*'
    ScanInterval    0
    <Schedule>
        When    @daily
        Exec    start_scan();
    </Schedule>
</Input>

<Output file>
    Module          om_file
    File            'C:\test\regmon.log'
    Exec            to_json();
</Output>

<Route dailycheck>
    Path            regmon => file
</Route>