Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk USB Control

mesutu
Explorer
‎11-27-2019 05:16 AM

Hi,

We use Splunk to manage usb devices. We write script which find usb's serial number and check in our database if it is registered splunk run a command which is devcon.exe update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk" Our script work properly in windows 7 and 8.1 but not work in windows10. When I run bat file manually its work. When I check the logs everything is seen right.

I dont understand where the problem is. Script is right because when i run manually , usb devices is plugged.

Can you help me ?

Thank you

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎11-29-2019 11:44 AM

This is a Windows problem, not a Splunk problem. You are asking in the wrong forum.

0 Karma
Reply

mesutu
Explorer
‎11-29-2019 12:28 AM

Hi, @gcusello

Thank you for information. Inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-30-2019 07:51 AM

Hi @mesutu,
as @woodcook said, it's a windows problem, debug the problem executing the script!
Anyway, why there a quote in the script?

Bye.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:36 PM

Hi
when I check the logs of script, it says usb has been plugged but actually it is not. Why it is not working in windows 10.

Our script log is ;

[ 27/11/2019 17:15:13 ] Info: Working Directory: C:\Windows\system32
[ 27/11/2019 17:15:13 ] Info: Script Name: checkUSB.vbs
[ 27/11/2019 17:15:13 ] Debug: C:\Windows\System32\cscript.exe "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\checkUSB.vbs"
[ 27/11/2019 17:15:13 ] Info: 10.22.11.10
[ 27/11/2019 17:15:13 ] Info: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=
[ 27/11/2019 17:15:13 ] Debug: Functions are defining
[ 27/11/2019 17:15:13 ] Debug: Operating System: AMD64
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 PNPDeviceId: 1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 1C6F654E59A2EE81C92800DE
[ 27/11/2019 17:15:13 ] Debug: PNPDevice: @USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_SWITCH&REV_1.27\20044526921DB721B6DD&0 PNPDeviceId: 20044526921DB721B6DD&0
[ 27/11/2019 17:15:13 ] Debug: uniqueID 20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Check From: http://10.22.5.11/ossec-wui/site/usbcheck.php?serialNumbers=;1C6F654E59A2EE81C92800DE;20044526921DB7...
[ 27/11/2019 17:15:13 ] Debug: ossecResponse: 1C6F654E59A2EE81C92800DE;20044526921DB721B6DD
[ 27/11/2019 17:15:13 ] Debug: Remove or Plug USB
[ 27/11/2019 17:15:13 ] Debug: 1C6F654E59A2EE81C92800DE&0 --- @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" status "@USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0"
[ 27/11/2019 17:15:13 ] Debug: Command Response: USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0 Name: Kingston DataTraveler 2.0 USB Device The device has the following problem: 011 matching device(s) found.
[ 27/11/2019 17:15:13 ] Debug: Driver is prevented by Policy
[ 27/11/2019 17:15:13 ] Debug: USB is pluging @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0
[ 27/11/2019 17:15:13 ] Debug: Command: "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\bin\devcon_x64.exe" update "c:\Windows\inf\disk.inf" "USBSTOR\GenDisk"
[ 27/11/2019 17:15:13 ] Debug: Command Response: Updating drivers for USBSTOR\GenDisk from c:\Windows\inf\disk.inf.Drivers installed successfully.
[ 27/11/2019 17:15:13 ] Debug: USB has been plugged @USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP\1C6F654E59A2EE81C92800DE&0

[ 27/11/2019 17:15:13 ] Debug: Script Will Sleep 10 seconds

Thank you

Best Regards

Mesut,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-29-2019 12:25 AM

Hi @mesutu,
reading what you say it seems to me that the problem is in the script and on Windows 10 has a different behavior than on Windows 7.
In any case, if you could share your inputs.conf, I could help you by checking the configuration: in a previous comment there is only "[".
To share code use the "Code Sample" button, the one with 101010.

Ciao.
Giuseppe

0 Karma
Reply

mesutu
Explorer
‎11-27-2019 11:28 PM

hi @gcusello,

Our splunk version is 7.2.1 and install in CentOS 7 64 bit.

Our inputs.conf is ;

[script://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

mesutu
Explorer
‎11-28-2019 10:27 PM

Hi woodcock,

[scr.pt://.\bin\checkUSB.bat"]
disabled = 0
interval = 3
sourcetype = EndPoint:USB

0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2019 08:15 PM

This got clipped; come back and re-edit it.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-27-2019 09:57 AM

Show us your configuration files.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-27-2019 08:29 AM

Hi @mesutu,
could you share your inputs.conf file where you launch your script?
What Splunk version are you using and on what OS?

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...