Splunk Search

How to index all users' OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host?

landen99
Motivator

I am interested in indexing all user's OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host. I also want to collect these logs when connected to any internet connection and not just when on the network with the Splunk indexers.

What is the best approach for that? What considerations should be made?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

View solution in original post

0 Karma

landen99
Motivator

I just want to index what is already logged locally; for chrome: C:UsersuserAppDataLocalGoogleChromeUser DataDefault
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

Related question: https://answers.splunk.com/answers/56804/best-way-to-index-sqlite-db-file.html

0 Karma

jkat54
SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

0 Karma

landen99
Motivator

Logging is by definition "spyware" but we don't usually call it that because we are collecting data from ourselves for our own purposes with consent. While all logging can be used for malicious and privacy invasion purposes, my goals are simply to put it on boxes where I am admin and own everything. Also, I do not want to go the proxy route. I just want to index what is already logged locally; for chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Powershell scripted input

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...