Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor USB plug and remove on server 2008 R2?

aojie654
Path Finder
‎12-14-2018 04:36 PM 
OS:  CentOS 7
Component: Search Head, Indexer
Product:     Splunk Enterprise
Version:    7.2.1

OS: Windows server2003, 2008 R2, 2012 R2
Component: Forwarder
Product:     Splunk Universal Forwarder
Version:    6.3.13, 7.2.0

My customer has asked me to monitoring USB Storage changes on windows server 2003, 2008 R2 and 2012 R2, so I referenced the doc of wmi.conf in Admin Manual just like follow:

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

I used the same wmi.conf and that went well on server 2003 and 2012 R2, BUT THAT'S NO USE ON 2008 R2 even I had add line use_old_eventlog_api = true in the [WMI:USBChanges] stanza. So I tried to get info from registry and failed too. Is that no an efficacious way on that OS?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aojie654
Path Finder
‎12-16-2018 09:30 PM

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-17-2018 06:57 AM

In my experience the best place to monitor for devices being connected/disconnected is the windows registry. There’s more details there than the WMI can provide.

https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settin...

I would caution against WMI. Running this query every second is a terrible practice.

0 Karma
Reply
Solved! Jump to solution

aojie654
Path Finder
‎12-17-2018 05:08 PM

I will seriously consider this good suggestion, thanks for your reply 😜

Reply
Solved! Jump to solution
Solution

aojie654
Path Finder
‎12-16-2018 09:30 PM

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

0 Karma
Reply
Solved! Jump to solution

aojie654
Path Finder
‎12-15-2018 07:44 AM

Hi, thanks a lot for ur reply!

I had checked the following link and I found that the 1st and the 3rd links are using for 2012 and later, and the 2nd link is returns me the error 404.

But I want to say thanks to u for ur help.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...