Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can splunk see which of our Virtual Desktop users are printing from home?

eberg1
Engager
‎08-23-2019 11:15 AM

Compliance has given me the grueling task of identifying the users who are printing at home or from a remote location so they can prevent them from doing so.

I am struggling to figure this out with our virtual desktop environment.

Any suggestions?

0 Karma
Reply

Sukisen1981
Champion
‎08-25-2019 02:08 AM

hi @eberg1
You have to give some more details of what all splunk is logging / you folks propose to log with splunk
One thought that comes to mind is to identify by ip
So anytime someone is printing something, there must be the source ip of the machine being logged somewhere.
Now, if we can monitor/ingest the ip , what we need to do next is have a simple rule to segregate based on the ip.
For example, your corporate ip will have something like 10.xxxx.yyy.zzz
Any other network ip pattern means either a private connection (mobile/edge..?) which is a good indicator that users are printing from outside the corporate network.
Now, identifying such actions is one thing, preventing it through splunk is another.
Remember, the non corporate ips will be logged AFTER the print has been given.
Why not simply ask your infra team dealing with the printers to block all non corporate ips,in the first place?

0 Karma
Reply

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎08-25-2019 02:14 AM

It sounds depending on which virtual desktop solution you're using.
Can you elaborate the exact product?
Also, what do you mean "remote location"? How do you identify if he/she is using his/her PC outside of their home? It's up to that.

0 Karma
Reply

eberg1
Engager
‎08-28-2019 10:09 AM

Hey! Sorry for the late reply.

Compliance wants a list of users who are/have printed from home.

When I say "Remote Location" I mean users who are accessing our Citrix environment away from our corporate network.

As stated above, we use Citrix for our virtual desktops.

I have tried searching logs by 192 IP Addresses and filtering by common printer ports, but I get nothing returned.
src="192.168.." dest_port=9100 action=allowed | stats count by host, src, dest_ip

I am also wondering if it would be possible to figure out which of our Domain Laptop users are printing from home. Assuming they are connected to the internet at the time.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎08-28-2019 10:22 AM

Are the remote locations/home machines owned by your company or personal computers?
If its a personal computer I believe its not something you can probably avoid since, worst case scenario, they can do screenshots and print that.
in other hand if its a company computer you can implement some restrictions to what can be installed (e.g. home printers) and connected (e.g. usb sticks). Still not foul proof since you can take a pic of whatever you're seeing.

regarding splunk logging you can check windows eventlog and even make it, using GPO, more verbose to include logs that might give you a hint of what employees are doing (e.g. printing, copying, fs changes, etc)

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...