topic Re: Splunk USB Control in Getting Data In

Splunk USB Control

mesutu — Wed, 27 Nov 2019 13:16:32 GMT

Hi,

We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.

I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.

Can you help me ?

Thank you

Re: Splunk USB Control

gcusello — Wed, 27 Nov 2019 16:29:30 GMT

Hi @mesutu,
could you share your inputs.conf file where you launch your script?
What Splunk version are you using and on what OS?

Ciao.
Giuseppe

Re: Splunk USB Control

woodcock — Wed, 27 Nov 2019 17:57:21 GMT

Show us your configuration files.

Re: Splunk USB Control

mesutu — Thu, 28 Nov 2019 07:28:26 GMT

hi @gcusello,

Our splunk version is 7.2.1 and install in CentOS 7 64 bit.

Our inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Re: Splunk USB Control

mesutu — Wed, 30 Sep 2020 03:13:09 GMT

Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.

Our script log is ;

[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0

[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds

Thank you

Best Regards

Mesut,

Re: Splunk USB Control

woodcock — Fri, 29 Nov 2019 04:15:12 GMT

This got clipped; come back and re-edit it.

Re: Splunk USB Control

mesutu — Fri, 29 Nov 2019 06:27:26 GMT

Hi woodcock,

[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Re: Splunk USB Control

gcusello — Fri, 29 Nov 2019 08:25:24 GMT

Hi @mesutu,
reading what you say it seems to me that the problem is in the script and on Windows 10 has a different behavior than on Windows 7.
In any case, if you could share your inputs.conf, I could help you by checking the configuration: in a previous comment there is only "[".
To share code use the "Code Sample" button, the one with 101010.

Ciao.
Giuseppe

Re: Splunk USB Control

mesutu — Fri, 29 Nov 2019 08:28:48 GMT

Hi, @gcusello

Thank you for information. Inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Thank you

Re: Splunk USB Control

woodcock — Fri, 29 Nov 2019 19:44:41 GMT

This is a Windows problem, not a Splunk problem. You are asking in the wrong forum.

Re: Splunk USB Control

gcusello — Sat, 30 Nov 2019 15:51:20 GMT

Hi @mesutu,
as @woodcook said, it's a windows problem, debug the problem executing the script!
Anyway, why there a quote in the script?

Bye.
Giuseppe