Splunk Search

How to index all users' OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host?

landen99
Motivator

I am interested in indexing all user's OS search history, web search history, and web browsing history from any browser using a universal forwarder on a given host. I also want to collect these logs when connected to any internet connection and not just when on the network with the Splunk indexers.

What is the best approach for that? What considerations should be made?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

View solution in original post

0 Karma

landen99
Motivator

I just want to index what is already logged locally; for chrome: C:UsersuserAppDataLocalGoogleChromeUser DataDefault
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

Related question: https://answers.splunk.com/answers/56804/best-way-to-index-sqlite-db-file.html

0 Karma

jkat54
SplunkTrust
SplunkTrust

Create your own spyware I suppose.

Why not use a web proxy, and force the device to connect to your VPN during startup?

Then monitor your web proxy.

Best Practices: SQUID or other Web Proxy
Things to Consider: This is highly illegal in some countries. See EU law, etc. Such data contains PII for sure. I'm seeing usernames and all sorts of PII in proxy logs. So it must be treated with care.

If you're really going down this path and are serious...

You need scripting on the hosts to gather the data into some place where splunk can then read the file. You'll need browser add ons, etc. maybe SCCM and GPO to force the browsers to install the add-ons... you'll need adequate space to store the data on each host... cpu and ram processing power, etc etc. Hire an architect, build an entire team to manage it all. It's not cheap. Now if you narrow it down to something like, the sandbuckets in the registry... this might be easier. It's really just a silly exercise because they'll figure it out and start using their cell phones or other computers, they'll get around the proxy, they'll uninstall your stuff... its just a pointless endeavor IMHO. You'll never have enough money and resources to monitor all of the items you mentioned. If you did have those resources, you wouldn't be asking this question - that's how expensive it gets.

I advise against doing this. Please reconsider why you need such information.

0 Karma

landen99
Motivator

Logging is by definition "spyware" but we don't usually call it that because we are collecting data from ourselves for our own purposes with consent. While all logging can be used for malicious and privacy invasion purposes, my goals are simply to put it on boxes where I am admin and own everything. Also, I do not want to go the proxy route. I just want to index what is already logged locally; for chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
The history file there is in sqlite 3 format. I am not sure how to have splunk monitor and index that file.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Powershell scripted input

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...