Splunk Search

How to index all users' OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host?

Motivator

I am interested in indexing all user's OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host. I also want to collect these logs when connected to any internet connection and not just when on the network with the Splunk indexers.

What is the best approach for that? What considerations should be made?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

View solution in original post

0 Karma

Motivator

I just want to index what is already logged locally; for chrome: C:UsersuserAppDataLocalGoogleChromeUser DataDefault
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

Related question: https://answers.splunk.com/answers/56804/best-way-to-index-sqlite-db-file.html

0 Karma

SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

View solution in original post

0 Karma

Motivator

Logging is by definition "spyware" but we don't usually call it that because we are collecting data from ourselves for our own purposes with consent. While all logging can be used for malicious and privacy invasion purposes, my goals are simply to put it on boxes where I am admin and own everything. Also, I do not want to go the proxy route. I just want to index what is already logged locally; for chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

0 Karma

SplunkTrust
SplunkTrust

Powershell scripted input

0 Karma