Getting Data In

Splunk USB Control

mesutu
Explorer

Hi,

We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.

I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.

Can you help me ?

Thank you

Tags (1)
0 Karma

woodcock
Esteemed Legend

This is a Windows problem, not a Splunk problem. You are asking in the wrong forum.

0 Karma

mesutu
Explorer

Hi, @gcusello

Thank you for information. Inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mesutu,
as @woodcook said, it's a windows problem, debug the problem executing the script!
Anyway, why there a quote in the script?

Bye.
Giuseppe

0 Karma

mesutu
Explorer

Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.

Our script log is ;

[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB7...
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0

[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds

Thank you

Best Regards

Mesut,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mesutu,
reading what you say it seems to me that the problem is in the script and on Windows 10 has a different behavior than on Windows 7.
In any case, if you could share your inputs.conf, I could help you by checking the configuration: in a previous comment there is only "[".
To share code use the "Code Sample" button, the one with 101010.

Ciao.
Giuseppe

0 Karma

mesutu
Explorer

hi @gcusello,

Our splunk version is 7.2.1 and install in CentOS 7 64 bit.

Our inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma

mesutu
Explorer

Hi woodcock,

[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma

woodcock
Esteemed Legend

This got clipped; come back and re-edit it.

0 Karma

woodcock
Esteemed Legend

Show us your configuration files.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mesutu,
could you share your inputs.conf file where you launch your script?
What Splunk version are you using and on what OS?

Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...