Splunk Search

How to monitor USB plug and remove on server 2008 R2?

aojie654
Path Finder
OS:  CentOS 7
Component: Search Head, Indexer
Product:     Splunk Enterprise
Version:    7.2.1

OS: Windows server2003, 2008 R2, 2012 R2
Component: Forwarder
Product:     Splunk Universal Forwarder
Version:    6.3.13, 7.2.0

My customer has asked me to monitoring USB Storage changes on windows server 2003, 2008 R2 and 2012 R2, so I referenced the doc of wmi.conf in Admin Manual just like follow:

[WMI:USBChanges]
interval = 1
wql = select * from __InstanceOperationEvent within 1 where TargetInstance ISA 'Win32_PnPEntity' and TargetInstance.Description='USB Mass Storage Device'
disabled = 0
current_only = 1

I used the same wmi.conf and that went well on server 2003 and 2012 R2, BUT THAT'S NO USE ON 2008 R2 even I had add line use_old_eventlog_api = true in the [WMI:USBChanges] stanza. So I tried to get info from registry and failed too. Is that no an efficacious way on that OS?

0 Karma
1 Solution

aojie654
Path Finder

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

In my experience the best place to monitor for devices being connected/disconnected is the windows registry. There’s more details there than the WMI can provide.

https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settin...

I would caution against WMI. Running this query every second is a terrible practice.

0 Karma

aojie654
Path Finder

I will seriously consider this good suggestion, thanks for your reply 😜

aojie654
Path Finder

Hi, guys:
the issues has been solved, I think the reason is the data on 2008 R2 are slower than other platform, so it misleading me that I can't receive the data of 2008 R2.
I use the same wmi.conf on deployment server, and all work well.

At last, I referred the following link:
https://answers.splunk.com/answers/46178/deploying-wmi-conf-for-windows-universal-forwarders-with-de...

Thanks to @iunderwood !

0 Karma

aojie654
Path Finder

Hi, thanks a lot for ur reply!

I had checked the following link and I found that the 1st and the 3rd links are using for 2012 and later, and the 2nd link is returns me the error 404.

But I want to say thanks to u for ur help.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...