Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk USB Control

mesutu
Explorer
‎11-27-2019 05:16 AM

Hi,

We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.

I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.

Can you help me ?

Thank you

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-29-2019 11:44 AM

This is a Windows problem, not a Splunk problem. You are asking in the wrong forum.

0 Karma
Reply

mesutu
Explorer
‎11-29-2019 12:28 AM

Hi, @gcusello

Thank you for information. Inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2019 07:51 AM

Hi @mesutu,
as @woodcook said, it's a windows problem, debug the problem executing the script!
Anyway, why there a quote in the script?

Bye.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:36 PM

Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.

Our script log is ;

[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB7...
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0

[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds

Thank you

Best Regards

Mesut,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2019 12:25 AM

Hi @mesutu,
reading what you say it seems to me that the problem is in the script and on Windows 10 has a different behavior than on Windows 7.
In any case, if you could share your inputs.conf, I could help you by checking the configuration: in a previous comment there is only "[".
To share code use the "Code Sample" button, the one with 101010.

Ciao.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:28 PM

hi @gcusello,

Our splunk version is 7.2.1 and install in CentOS 7 64 bit.

Our inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

mesutu
Explorer
‎11-28-2019 10:27 PM

Hi woodcock,

[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2019 08:15 PM

This got clipped; come back and re-edit it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-27-2019 09:57 AM

Show us your configuration files.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2019 08:29 AM

Hi @mesutu,
could you share your inputs.conf file where you launch your script?
What Splunk version are you using and on what OS?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top