Archive

How to monitor USB plug and remove on server 2008 R2?

Path Finder
OS:  CentOS 7
Component: Search Head, Indexer
Product:     Splunk Enterprise
Version:    7.2.1

OS: Windows server2003, 2008 R2, 2012 R2
Component: Forwarder
Product:     Splunk Universal Forwarder
Version:    6.3.13, 7.2.0

My customer has asked me to monitoring USB Storage changes on windows server 2003, 2008 R2 and 2012 R2, so I referenced the doc of wmi.conf in Admin Manual just like follow:

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

I used the same wmi.conf and that went well on server 2003 and 2012 R2, BUT THAT'S NO USE ON 2008 R2 even I had add line use_old_eventlog_api = true in the [WMI:USBChanges] stanza. So I tried to get info from registry and failed too. Is that no an efficacious way on that OS?

0 Karma
1 Solution

Path Finder

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

In my experience the best place to monitor for devices being connected/disconnected is the windows registry. There’s more details there than the WMI can provide.

https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settin...

I would caution against WMI. Running this query every second is a terrible practice.

0 Karma

Path Finder

I will seriously consider this good suggestion, thanks for your reply 😜

Path Finder

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

View solution in original post

0 Karma

Path Finder

Hi, thanks a lot for ur reply!

I had checked the following link and I found that the 1st and the 3rd links are using for 2012 and later, and the 2nd link is returns me the error 404.

But I want to say thanks to u for ur help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!