Activity Feed
- Got Karma for How Splunk run a script as an administrator?. 06-05-2020 12:50 AM
- Posted Splunk Stream is not capture interfaces on All Apps and Add-ons. 01-07-2020 02:03 AM
- Tagged Splunk Stream is not capture interfaces on All Apps and Add-ons. 01-07-2020 02:03 AM
- Tagged Splunk Stream is not capture interfaces on All Apps and Add-ons. 01-07-2020 02:03 AM
- Posted How Splunk run a script as an administrator? on Security. 12-02-2019 04:50 AM
- Tagged How Splunk run a script as an administrator? on Security. 12-02-2019 04:50 AM
- Tagged How Splunk run a script as an administrator? on Security. 12-02-2019 04:50 AM
- Tagged How Splunk run a script as an administrator? on Security. 12-02-2019 04:50 AM
- Posted Re: Splunk USB Control on Getting Data In. 11-29-2019 12:28 AM
- Posted Re: Splunk USB Control on Getting Data In. 11-28-2019 10:27 PM
- Posted Re: Splunk USB Control on Getting Data In. 11-27-2019 11:36 PM
- Posted Re: Splunk USB Control on Getting Data In. 11-27-2019 11:28 PM
- Posted Splunk USB Control on Getting Data In. 11-27-2019 05:16 AM
- Tagged Splunk USB Control on Getting Data In. 11-27-2019 05:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
01-07-2020
02:03 AM
Hi,
I install stream-app on Splunk Search-Head and deploy independent Stream forwarder via "curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash" command. I enabled HEC. I check the stream-app GUI, server status is active and send metadata.
I mirror the traffic from switch to server interface and check the interface via tcpdump command. I see the traffics are mirrored. But I can not see the traffics int the splunk stream app. Splunk says normally splunk streamfwd capture all network interfaces.
What can I do?
Best Regards
Thank you
... View more
12-02-2019
04:50 AM
1 Karma
Hi,
How can Splunk run a script as an administrator? In our script we use devcon.exe update command so it is needed to run as admin.
Can you help us?
Best Regards,
Thank you
... View more
11-29-2019
12:28 AM
Hi, @gcusello
Thank you for information. Inputs.conf is ;
[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB
Thank you
... View more
11-28-2019
10:27 PM
Hi woodcock,
[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB
... View more
11-27-2019
11:36 PM
Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.
Our script log is ;
[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds
Thank you
Best Regards
Mesut,
... View more
11-27-2019
11:28 PM
hi @gcusello,
Our splunk version is 7.2.1 and install in CentOS 7 64 bit.
Our inputs.conf is ;
[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB
... View more
11-27-2019
05:16 AM
Hi,
We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.
I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.
Can you help me ?
Thank you
... View more
- Tags:
- splunk-enterprise
