![]() ![]() WinEventLog://Microsoft-Windows-DriverFrameworks-UserMode/Operational] Located on the Windows endpoint (Usually found here: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local\nf) If this index does not already exist, you will first need to create it. Note: we will be placing the events into an index called wineventlog. We provide a sample Splunk Universal Forwarder configuration file below to help those using the Splunk Universal Forwarder. While we are assuming a functional Splunk Enterprise installation exists, we still need to collect the logs. For this demo, we will use a Splunk Universal Forwarder shown in next section. This task could be accomplished using a number of methods such as Windows Event Collector (WEC), a Splunk Universal Forwarder agent, or some other forwarding method. Now that the logs are being generated, they need to be forwarded from the endpoints to a central location-in this case Splunk. 2102 – This is a unique event created upon disconnecting a USB device which contains helpful dataįeel free to explore the data within each event but note that we have called out two Event IDs that contain the most amount of data pertaining to connection (2003) and disconnection (2102).2003 – This is a unique event created upon connecting a USB device which contains helpful dataįortunately, there are far fewer event IDs associated with disconnecting a USB device.For the sake of completeness, the event IDs associated with connecting a device are the following: For example, some of the event IDs pertain to USB functions needed to ready the device. You will notice that there are quite a few event IDs associated with connecting a USB device, but fortunately for our situation, not all of them are important. Now that USB connectivity logging is enabled, insert a USB drive and click the refresh button to see some events. After checking the box, we rebooted for good measure, because hey, this is Windows.įigure 2: DriverFrameworks-UserMode enablement and log path For this article, we will enable the logs manually by right clicking on “Operational” and selecting “Properties” to show that it is disabled. Administrators can manually enable it per machine or take action on a larger scale using a login script or other mechanism outlined in the References section below. ![]() Unfortunately, this log is disabled by default. Microsoft logs USB connect and disconnect actions in the following Windows Event Viewer location: Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational We need to generate and collect the Windows event logs and then we need to process and display the logs within Splunk. There are two main steps needed to accomplish this task. As a bonus, we will not only outline the steps to accomplish this task, but we will also provide working dashboard code at the end of the article.įigure 1: Dashboard provided at the end of the article In this article we will provide a few ways to collect the logs, but we will ultimately use Splunk to aggregate, process, and display the information. Have you ever wanted to monitor what goes on with removable media in your environment, but maybe lack the money or man power to run a Data Loss Prevention (DLP) tool to monitor the USB devices? The good news is that you can do this on the cheap using Microsoft Windows Event logs and a bit of data crunching effort. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |