3 Replies Latest reply on Jul 13, 2020 3:53 AM by Dominik Kress

    USB Storage Logging

    Philipp Ernicke
      Share This:

      Hi,

       

      I do not get a few points with the "USB stick monitoring". Maybe someone can help me.
      I have enabled logging for portable devices and USB storage devices. This is where the problems begin.
      The logging works in principle, but once the stick has been detected, it will not appear in the log a second time. I can pull it off and plug it in as often as I want, and nothing happens in the events.

      Between 15:25h and 17:19h both the Kingston and the SanDisk USB stick were pulled out several times and plugged in again. Data has been copied and deleted. After nothing happened in the log, I plugged in a third USB stick, which was then recognized immediately. Then I plugged in the Kingston Stick again, which was no longer drive E: \, yet it was not recognized.

       

      In addition, I thought that the events should also be seen under "Alerts and Events", but in the drop-down menu "Model Name" the option "Device Management"is missing. The other options also do not show the events. That's why I have to go constantly in the module configuration to look at the events, which are incomplete.

       

      Monitoring local events - Documentation for BMC Client Management 12.8 - BMC Documentation

      As we have activated event logging, every time a USB storage is connected to the device an event is logged in this table.

      Monitoring the results on the master - Documentation for BMC Client Management 12.8 - BMC Documentation

      To display the device management events instead of the default software distribution events select Windows Devices from the Model Name drop-down list.

       


      Can someone explain what I'm doing wrong?

       

      Thanks,

       

      Phil

        • 1. Re: USB Storage Logging
          Dominik Kress

          Hi,

           

          The agent has to upload those events. There is an OR component available to force the upload. Once the events are uploaded they will be removed from the local agent module.

           

          As far as I know the BCM agent will only "discover" the usb device (if authorized) once until the agent / device is restarted.

          • 2. Re: USB Storage Logging
            Henrry Vargas

            Hi Philip.

             

            Could you solve this requirement?

            According to Dominik's comment, would you have to have a rule to authorize any usb storage device for the agent to "discover" it every time?

             

            Best regards.

            • 3. Re: USB Storage Logging
              Dominik Kress

              Hi Henrry Vargas,

               

              According to Dominik's comment, would you have to have a rule to authorize any usb storage device for the agent to "discover" it every time?

               

              Correct. Only USB devices which are hit by a device management rule are documented. Per default no rule is active. So you need to create a rule which allows all USB storage devices. After that is assigned and executed by a device the agent will add any USB storage device to its local sqlite file (Agent Configuration - Module Configuration - Windows Device Management). On the 3rd register you'll find the discovered events. As soon as the agent did upload the events they'll get removed from the local sqlite file. By this they will also be removed from the register events.

               

              2020-07-13_10-52-51.png