Windows Registry Monitoring (im_regmon)
This module periodically scans the Windows registry and generates event records if a change in the monitored registry entries is detected.
|This module is only available on Windows.|
|To examine the supported platforms, see the list of installer packages in the Available Modules chapter.|
The im_regmon module accepts the following directives in addition to the common module directives. The RegValue directive is required.
This mandatory directive specifies the name of the registry entry. It must be a string type expression. Wildcards are also supported. See the File directive of im_file for more details on how wildcarded entries can be specified. More than one occurrence of the RegValue directive can be specified. The path of the registry entry specified with this directive must start with one of the following:
|The user running NXLog must have at least read permission on the specified keys. If NXLog is running as a service, then the user the service is running as must have the appropriate permissions applied to it. Refer to the Microsoft documentation on how to change registry values or permissions from a command line or a script. Permissions can also be applied from the Windows Registry user interface, see the How to apply permissions to a Windows registry key article in the Sophos documentation.|
|The Microsoft PsExec tool can be used to run the Windows Registry interactively as the System account in order to change the necessary permissions.|
If set to TRUE, this boolean directive indicates that the 64 bit registry view should be monitored. The default is TRUE.
This specifies the digest method (hash function) to be used to calculate the checksum. The default is
sha1. The following message digest methods can be used:
This directive specifies a single registry path or a set of registry values (using wildcards) to be excluded from the scan. More than one occurrence of the Exclude directive can be used.
If set to TRUE, this boolean directive specifies that registry entries set with the RegValue directive should be scanned recursively under subkeys. For example,
HKCU\test\subkey\value. Wildcards can be used in combination with Recursive:
HKCU\test\subkey\value2. This directive only causes scanning under the given path:
HKCU\*\valuewill not match
HKCU\test\subkey\value. The default is FALSE.
This directive specifies how frequently, in seconds, the module will check the registry entry or entries for modifications. The default is 86400 (1 day). The value of ScanInterval can be set to
0to disable periodic scanning and instead invoke scans via the start_scan() procedure.
The following procedures are exported by im_regmon.
Trigger the Windows registry integrity scan. This procedure returns before the scan is finished.
The following fields are used by im_regmon.
A list of event fields in key-value pairs.
The calculated digest (checksum) value.
The name of the digest used to calculate the checksum value (for example,
The current time.
One of the following values:
The name of the system where the event was generated.
The calculated digest (checksum) value from the previous scan.
The size of the registry entry’s value from the previous scan.
The name of the registry entry where the changes were detected.
The severity name:
The WARNING severity level value:
The size of the registry entry’s value after the modification.
This example monitors the registry entry recursively, and scans every 10 seconds. Messages generated by any detected changes will be written to file in JSON format.
<Extension json> Module xm_json </Extension> <Input regmon> Module im_regmon RegValue 'HKLM\Software\Policies\*' ScanInterval 10 </Input> <Output file> Module om_file File 'C:\test\regmon.log' Exec to_json(); </Output> <Route regmon_to_file> Path regmon => file </Route>
The im_regmon module provides a start_scan() procedure that can be called to invoke the scan. The following configuration will trigger the scan every day at midnight.
<Extension json> Module xm_json </Extension> <Input regmon> Module im_regmon RegValue 'HKLM\Software\*' Exclude 'HKLM\Software\Program Groups\*' ScanInterval 0 <Schedule> When @daily Exec start_scan(); </Schedule> </Input> <Output file> Module om_file File 'C:\test\regmon.log' Exec to_json(); </Output> <Route dailycheck> Path regmon => file </Route>