I'd like to track print events from a Windows 2008 R2 print server. I have configured my Universal Forwarder (UF) via this blog: http://blogs.splunk.com/2014/04/21/windows-print-monitoring-in-splunk-6/ and I am receiving print event data, but the page print metrics are inconsistent. I am capturing page counts for some users, but most user page counts are zero.
My Splunk configuration is : Print Server UF (6.5) ->Heavy Forwarder->SplunkCloud
I have also tried this configuration: Print Server UF(6.5)->SplunkCloud
Both exhibit the same problem.
How do you monitor print events?
I decided to take a different approach. I used the wevtutil command to export the Print Event Log to an XML file. I appended the current date/time stamp the file and ran wevtutil again to clear the Windows Event Log
set hh=%time:~0,2%
set hh=%hh: =0%
set dt=%date:~10,4%%date:~4,2%%date:~7,2%_%hh%%time:~3,2%%time:~6,2%
wevtutil qe Microsoft-Windows-PrintService/Operational /q:"*[System[((EventID=307))]]" >c:\splunkevents\PrintEvents\PrintEvents_%dt%.xml
wevtutil cl Microsoft-Windows-PrintService/Operational
Using Windows Task Scheduler, I configured a task to run every 5 minutes, which produced this:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/><EventID>307</EventID><Version>0</Version><Level>4</Level><Task>26</Task><Opcode>11</Opcode><Keywords>0x4000000000000840</Keywords><TimeCreated SystemTime='2016-12-07T19:35:07.193302100Z'/><EventRecordID>11653591</EventRecordID><Correlation/><Execution ProcessID='1236' ThreadID='7800'/><Channel>Microsoft-Windows-PrintService/Operational</Channel><Computer>SVRPRINT.xxxx.com</Computer><Security UserID='S-1-5-21-1418215022-461469287-1537874043-18922'/></System><UserData><DocumentPrinted xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Param1>116</Param1><Param2>DOC120716-12072016141658.pdf</Param2><Param3>someuser</Param3><Param4>31AI2UA4121W48W</Param4><Param5>ITHINSGeneralBW4</Param5><Param6>10.17.48.14</Param6><Param7>850573</Param7><Param8>5</Param8></DocumentPrinted></UserData></Event>
I imported the file into Splunk and used spath to extract the "params" into usable fields
...|eval DocumentName=spath(_raw,"Event.UserData.DocumentPrinted.Param2") ,
User=spath(_raw,"Event.UserData.DocumentPrinted.Param3") ,
ComputerName=spath(_raw,"Event.UserData.DocumentPrinted.Param4"),
PrinterName=spath(_raw,"Event.UserData.DocumentPrinted.Param5") ,
PrinterIP=spath(_raw,"Event.UserData.DocumentPrinted.Param6"),
Bytes=spath(_raw,"Event.UserData.DocumentPrinted.Param7") ,
Page_Count=spath(_raw,"Event.UserData.DocumentPrinted.Param8")
Which gives me:
One last note: I created a nightly task scheduler job to delete the day's XML files
I decided to take a different approach. I used the wevtutil command to export the Print Event Log to an XML file. I appended the current date/time stamp the file and ran wevtutil again to clear the Windows Event Log
set hh=%time:~0,2%
set hh=%hh: =0%
set dt=%date:~10,4%%date:~4,2%%date:~7,2%_%hh%%time:~3,2%%time:~6,2%
wevtutil qe Microsoft-Windows-PrintService/Operational /q:"*[System[((EventID=307))]]" >c:\splunkevents\PrintEvents\PrintEvents_%dt%.xml
wevtutil cl Microsoft-Windows-PrintService/Operational
Using Windows Task Scheduler, I configured a task to run every 5 minutes, which produced this:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/><EventID>307</EventID><Version>0</Version><Level>4</Level><Task>26</Task><Opcode>11</Opcode><Keywords>0x4000000000000840</Keywords><TimeCreated SystemTime='2016-12-07T19:35:07.193302100Z'/><EventRecordID>11653591</EventRecordID><Correlation/><Execution ProcessID='1236' ThreadID='7800'/><Channel>Microsoft-Windows-PrintService/Operational</Channel><Computer>SVRPRINT.xxxx.com</Computer><Security UserID='S-1-5-21-1418215022-461469287-1537874043-18922'/></System><UserData><DocumentPrinted xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Param1>116</Param1><Param2>DOC120716-12072016141658.pdf</Param2><Param3>someuser</Param3><Param4>31AI2UA4121W48W</Param4><Param5>ITHINSGeneralBW4</Param5><Param6>10.17.48.14</Param6><Param7>850573</Param7><Param8>5</Param8></DocumentPrinted></UserData></Event>
I imported the file into Splunk and used spath to extract the "params" into usable fields
...|eval DocumentName=spath(_raw,"Event.UserData.DocumentPrinted.Param2") ,
User=spath(_raw,"Event.UserData.DocumentPrinted.Param3") ,
ComputerName=spath(_raw,"Event.UserData.DocumentPrinted.Param4"),
PrinterName=spath(_raw,"Event.UserData.DocumentPrinted.Param5") ,
PrinterIP=spath(_raw,"Event.UserData.DocumentPrinted.Param6"),
Bytes=spath(_raw,"Event.UserData.DocumentPrinted.Param7") ,
Page_Count=spath(_raw,"Event.UserData.DocumentPrinted.Param8")
Which gives me:
One last note: I created a nightly task scheduler job to delete the day's XML files
Are you sure that you do not have dodgy events coming in to splunk from the ground up?
Hi. What do you mean by "dodgy events"?
Events that aren't 100% reliable, e.g. data missing etc... Have you confirmed that all the data is within the events and that nothing is modifying them prior to indexing.
It looks like we are receiving all the print events. In other words, every time someone submits a print job, we receive events in splunk. The data in each event is correctly populated, except for the pages printed (sometimes it is correct for some people, most of the time is incorrect). I watched the Windows print queue and I can confirm the queue shows the correct number of pages printed, so for whatever reason, Splunk is not able to always query the print queue.
Hi @fdarrigo -
I see your solution ingests the Windows event log. How were you able to resolve the accuracy of pages printed in the event log? I'm running a Windows Server 2016 print server, and I understand that some of the native print logging features were better on WS08/R2 than subsequent os releases - specifically with regard to pages printed. Currently, Event 307's Pages Printed (Param8) is 0. I've enabled print auditing and am not able to find anything indicating how to fix the event log's pages printed count. Any advice? How would one go about configuring Splunk to query the print queue instead? Any insight would be greatly appreciated.
Thanks,
Kayla