Getting Data In

What is the best way to collect and monitor Windows 2008 R2 print server events?

fdarrigo
Path Finder

I'd like to track print events from a Windows 2008 R2 print server. I have configured my Universal Forwarder (UF) via this blog: http://blogs.splunk.com/2014/04/21/windows-print-monitoring-in-splunk-6/ and I am receiving print event data, but the page print metrics are inconsistent. I am capturing page counts for some users, but most user page counts are zero.

My Splunk configuration is : Print Server UF (6.5) ->Heavy Forwarder->SplunkCloud
I have also tried this configuration: Print Server UF(6.5)->SplunkCloud

Both exhibit the same problem.

How do you monitor print events?

0 Karma
1 Solution

fdarrigo
Path Finder

I decided to take a different approach. I used the wevtutil command to export the Print Event Log to an XML file. I appended the current date/time stamp the file and ran wevtutil again to clear the Windows Event Log

set hh=%time:~0,2%
set hh=%hh: =0%
set dt=%date:~10,4%%date:~4,2%%date:~7,2%_%hh%%time:~3,2%%time:~6,2%

wevtutil qe  Microsoft-Windows-PrintService/Operational /q:"*[System[((EventID=307))]]" >c:\splunkevents\PrintEvents\PrintEvents_%dt%.xml


wevtutil cl Microsoft-Windows-PrintService/Operational

Using Windows Task Scheduler, I configured a task to run every 5 minutes, which produced this:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/><EventID>307</EventID><Version>0</Version><Level>4</Level><Task>26</Task><Opcode>11</Opcode><Keywords>0x4000000000000840</Keywords><TimeCreated SystemTime='2016-12-07T19:35:07.193302100Z'/><EventRecordID>11653591</EventRecordID><Correlation/><Execution ProcessID='1236' ThreadID='7800'/><Channel>Microsoft-Windows-PrintService/Operational</Channel><Computer>SVRPRINT.xxxx.com</Computer><Security UserID='S-1-5-21-1418215022-461469287-1537874043-18922'/></System><UserData><DocumentPrinted xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Param1>116</Param1><Param2>DOC120716-12072016141658.pdf</Param2><Param3>someuser</Param3><Param4>31AI2UA4121W48W</Param4><Param5>ITHINSGeneralBW4</Param5><Param6>10.17.48.14</Param6><Param7>850573</Param7><Param8>5</Param8></DocumentPrinted></UserData></Event>

I imported the file into Splunk and used spath to extract the "params" into usable fields

...|eval DocumentName=spath(_raw,"Event.UserData.DocumentPrinted.Param2") ,
User=spath(_raw,"Event.UserData.DocumentPrinted.Param3") ,
ComputerName=spath(_raw,"Event.UserData.DocumentPrinted.Param4"),
PrinterName=spath(_raw,"Event.UserData.DocumentPrinted.Param5") ,
PrinterIP=spath(_raw,"Event.UserData.DocumentPrinted.Param6"),
Bytes=spath(_raw,"Event.UserData.DocumentPrinted.Param7") ,
Page_Count=spath(_raw,"Event.UserData.DocumentPrinted.Param8")

Which gives me:

alt text

One last note: I created a nightly task scheduler job to delete the day's XML files

View solution in original post

fdarrigo
Path Finder

I decided to take a different approach. I used the wevtutil command to export the Print Event Log to an XML file. I appended the current date/time stamp the file and ran wevtutil again to clear the Windows Event Log

set hh=%time:~0,2%
set hh=%hh: =0%
set dt=%date:~10,4%%date:~4,2%%date:~7,2%_%hh%%time:~3,2%%time:~6,2%

wevtutil qe  Microsoft-Windows-PrintService/Operational /q:"*[System[((EventID=307))]]" >c:\splunkevents\PrintEvents\PrintEvents_%dt%.xml


wevtutil cl Microsoft-Windows-PrintService/Operational

Using Windows Task Scheduler, I configured a task to run every 5 minutes, which produced this:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/><EventID>307</EventID><Version>0</Version><Level>4</Level><Task>26</Task><Opcode>11</Opcode><Keywords>0x4000000000000840</Keywords><TimeCreated SystemTime='2016-12-07T19:35:07.193302100Z'/><EventRecordID>11653591</EventRecordID><Correlation/><Execution ProcessID='1236' ThreadID='7800'/><Channel>Microsoft-Windows-PrintService/Operational</Channel><Computer>SVRPRINT.xxxx.com</Computer><Security UserID='S-1-5-21-1418215022-461469287-1537874043-18922'/></System><UserData><DocumentPrinted xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Param1>116</Param1><Param2>DOC120716-12072016141658.pdf</Param2><Param3>someuser</Param3><Param4>31AI2UA4121W48W</Param4><Param5>ITHINSGeneralBW4</Param5><Param6>10.17.48.14</Param6><Param7>850573</Param7><Param8>5</Param8></DocumentPrinted></UserData></Event>

I imported the file into Splunk and used spath to extract the "params" into usable fields

...|eval DocumentName=spath(_raw,"Event.UserData.DocumentPrinted.Param2") ,
User=spath(_raw,"Event.UserData.DocumentPrinted.Param3") ,
ComputerName=spath(_raw,"Event.UserData.DocumentPrinted.Param4"),
PrinterName=spath(_raw,"Event.UserData.DocumentPrinted.Param5") ,
PrinterIP=spath(_raw,"Event.UserData.DocumentPrinted.Param6"),
Bytes=spath(_raw,"Event.UserData.DocumentPrinted.Param7") ,
Page_Count=spath(_raw,"Event.UserData.DocumentPrinted.Param8")

Which gives me:

alt text

One last note: I created a nightly task scheduler job to delete the day's XML files

jlvix1
Communicator

Are you sure that you do not have dodgy events coming in to splunk from the ground up?

0 Karma

fdarrigo
Path Finder

Hi. What do you mean by "dodgy events"?

0 Karma

jlvix1
Communicator

Events that aren't 100% reliable, e.g. data missing etc... Have you confirmed that all the data is within the events and that nothing is modifying them prior to indexing.

0 Karma

fdarrigo
Path Finder

It looks like we are receiving all the print events. In other words, every time someone submits a print job, we receive events in splunk. The data in each event is correctly populated, except for the pages printed (sometimes it is correct for some people, most of the time is incorrect). I watched the Windows print queue and I can confirm the queue shows the correct number of pages printed, so for whatever reason, Splunk is not able to always query the print queue.

0 Karma

kaylad
New Member

Hi @fdarrigo -
I see your solution ingests the Windows event log. How were you able to resolve the accuracy of pages printed in the event log? I'm running a Windows Server 2016 print server, and I understand that some of the native print logging features were better on WS08/R2 than subsequent os releases - specifically with regard to pages printed. Currently, Event 307's Pages Printed (Param8) is 0. I've enabled print auditing and am not able to find anything indicating how to fix the event log's pages printed count. Any advice? How would one go about configuring Splunk to query the print queue instead? Any insight would be greatly appreciated.

Thanks,
Kayla

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...