03. 07. 2014 MarinovMihail Service Management

Monitoring USB Ports with Safed

Sometimes, especially for security reasons, it is important to know if the USB ports of a server have been used and what kind of operation has been carried out. Well, with the new version 1.7.0 of the Safed agent it is possible to monitor the USB ports for Windows Vista 2008 and later versions. Now the agent is able to receive WMI event notifications concerning the target instance “Win32_PnPEntity”. All events of classes “__InstanceCreationEvent”, “__InstanceDeletionEvent” and “__InstanceModificationEvent” will be intercepted, filtered (using the usual Safed objective filters) and sent to the syslog collector for further analysis, correlation with other events and storing.

Configuring Safed in order to track USB port usage is simple:

Step 1 – Enable USB monitoring: From the left side menu select “Network Configuration”, then check the “Enable active USB auditing” box. (Img. 1).

Step 1 – Enable USB monitoring

Step 2 – Add a new “EventLog Objective Configuration”: Select “USB Event” from the “Identify the high level event” list (Img. 2) and, if desired, insert a regular-expression-based filter in the “General Search Term” field. A simple example is to filter only “USB Mass Storage Device” for insert, removal or modification.

Step 2 – Add a new “EventLog Objective Configuration”

Once the configuration has been applied, Safed will intercept and filter USB events identifying them with an event ID (18 for USB inserted, 19 for USB removed, and 20 for USB modified) and will send them to the syslog collector (Img. 3.)

Syslog Collector

MarinovMihail

MarinovMihail

Developer at Würth Phoenix
“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Author

MarinovMihail

“Hi guys! I’m Mihail and since the university years I has been fascinated by distributed systems and measurements on them. Now when I join the Neteye project I get the possibility to continue with this passion and this is great. My free time is completely dedicated to my wife and my daughters, I simply love them.”

Latest posts by MarinovMihail

31. 07. 2019 Downloads / Release Notes, Events, Service Management
EriZone 5.7 Release Notes
01. 07. 2019 Downloads / Release Notes
Updated Safed Agent v1.10.1 for UX
18. 06. 2019 NetEye, Unified Monitoring
Go pprof – How to Understand Where There is Memory Retention
20. 03. 2019 Downloads / Release Notes, Log Management
Updated Safed Agent v1.10.1
26. 02. 2019 Downloads / Release Notes, Service Management
EriZone 5.6 packages Updates
See All

Related Content

Tags: ,

23. 05. 2022 Cloud, Service Management

Office365/Google Mail Users: Migrate Your EriZone/OTRS Mail Accounts to OAuth2 Authentication NOW!

Both Microsoft and Google will terminate within summer/autumn 2022 the possibility of accessing POP and IMAP mailboxes using usernames and passwords! In the course of the year 2022 Microsoft and Google will terminate support for Basic Auth (the authentication with Read More
06. 12. 2021 Service Management

JIRA: Importing Issues from OTRS/EriZone and Other Ticketing Systems

More and more companies are adopting the now “quasi-standard” JIRA Software issue tracking and software project management tool, and the emerging ticketing tool JIRA Service Management. For most of them, when transitioning from their previous system, it is essential to Read More
11. 01. 2021 Downloads / Release Notes, Service Management

EriZone 5.9 Release Notes

Welcome to the latest version of our Service Management solution EriZone version 5.9. Product: EriZoneRelease Number: 5.9Release Date: January 7, 2021Release Type: MinorPrevious Release: 5.8 These release notes for EriZone 5.9 describe changes and improvements, and provide information on how to upgrade. Read More
17. 12. 2020 Cloud, Unified Monitoring

EriZone/OTRS: Single Sign On with (Multiple) AzureAD Using Shibboleth

More and more enterprises rely on Microsoft Azure Active Directory as a company-wide identity provider for Office365, Teams, Sharepoint and other Microsoft and various non-Microsoft services. It provides Single Sign-On (SSO), so when opening any of these applications, if an Read More
19. 06. 2018 Service Management

A New Transition Action for Activity Management

This article will show you an EriZone innovation you can introduce into your process: a Transition Action for Activity Management. One of the main uses of this new feature is in the area of HR. There is no doubt that Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive