Introduction
This is a project essay of a usb event logger to splunk instance, I have been introduced lately to SIEM and am enjoying working on some projects and this is one of them.
In order to run the solution, unzip both packages1 and packages2 inside LoggerForDirectories\packages.
Background
Use it if you want to monitor the activities on an organisation for usb copy events, it's a Windows service project written in C# with a setup project that logs the copied file along with the IP address, session domain, computer name, current CPU usage, available ram.
Using the Code
This is the listener using System.IO
.
FileSystemWatcher watcher;
Stopwatch s = new Stopwatch();
var formatter = new MessageTemplateTextFormatter(
"{Timestamp:HH:mm} [{Level}] ({ThreadId}) {Message}{NewLine}{Exception}",
formatProvider: null);
a.Clear();
s.Start();
while (s.Elapsed < TimeSpan.FromSeconds(40))
{
var drives = DriveInfo.GetDrives()
.Where(drive => drive.IsReady && drive.DriveType == DriveType.Removable);
if (drives != null)
{
foreach (var item in drives)
{
watcher = new FileSystemWatcher();
watcher.Path = item.RootDirectory.ToString();
watcher.NotifyFilter = NotifyFilters.LastAccess
| NotifyFilters.LastWrite
| NotifyFilters.FileName
| NotifyFilters.DirectoryName;
watcher.Filter = "*.*";
watcher.IncludeSubdirectories = true;
watcher.Created += new FileSystemEventHandler(OnCreate);
watcher.EnableRaisingEvents = true;
}
}
OnCreate
is called every time a copy event is detected.
And because the copy events is composed of many events I had to filter events based on files.
public void OnCreate(object source, FileSystemEventArgs e)
{
if((a.Capacity-10) != a.Count)
{
if (a.Any())
{
if (e.Name != null)
{
if (a.Contains(e.Name.ToString()))
{ }
else
{ a.Add(e.Name.ToString()); }
}
}
else
{
if (e.Name != null)
{
a.Add(e.Name.ToString());
}
}
}
}