Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk USB Control

mesutu
Explorer
‎11-27-2019 05:16 AM

Hi,

We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.

I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.

Can you help me ?

Thank you

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-29-2019 11:44 AM

This is a Windows problem, not a Splunk problem. You are asking in the wrong forum.

0 Karma
Reply

mesutu
Explorer
‎11-29-2019 12:28 AM

Hi, @gcusello

Thank you for information. Inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2019 07:51 AM

Hi @mesutu,
as @woodcook said, it's a windows problem, debug the problem executing the script!
Anyway, why there a quote in the script?

Bye.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:36 PM

Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.

Our script log is ;

[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB7...
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0

[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds

Thank you

Best Regards

Mesut,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2019 12:25 AM

Hi @mesutu,
reading what you say it seems to me that the problem is in the script and on Windows 10 has a different behavior than on Windows 7.
In any case, if you could share your inputs.conf, I could help you by checking the configuration: in a previous comment there is only "[".
To share code use the "Code Sample" button, the one with 101010.

Ciao.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:28 PM

hi @gcusello,

Our splunk version is 7.2.1 and install in CentOS 7 64 bit.

Our inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

mesutu
Explorer
‎11-28-2019 10:27 PM

Hi woodcock,

[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2019 08:15 PM

This got clipped; come back and re-edit it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-27-2019 09:57 AM

Show us your configuration files.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2019 08:29 AM

Hi @mesutu,
could you share your inputs.conf file where you launch your script?
What Splunk version are you using and on what OS?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...