Info endpoint print documents
282 views
Skip to first unread message
Massimiliano De Falco
Jun 19, 2023, 11:58:58 AM6/19/23
to Wazuh mailing list
Good morning,
I have the wazuh server v.4.4.3 with elastic on ubuntu linux and v.4.3.10/4.4.1 on win10 endpoints.
I need to know if the endpoint print any docs. We have the printer in our lan and is very usefull to know if the user/computer send to print documents to the printer.
Is possible to do this?
Thanks.
Nicolas Zapata
Jun 19, 2023, 2:36:56 PM6/19/23
to Wazuh mailing list
Hi
Massimiliano! thanks for using wazuh!
Yes, it is possible to monitor print jobs from endpoints using Wazuh. You can configure the Wazuh agent on the Windows endpoints to monitor the print spooler service and send alerts to the Wazuh manager. Additionally, you can use the Wazuh API to retrieve information about the print jobs and integrate with other tools.
Yes, it is possible to monitor print jobs from endpoints using Wazuh. You can configure the Wazuh agent on the Windows endpoints to monitor the print spooler service and send alerts to the Wazuh manager. Additionally, you can use the Wazuh API to retrieve information about the print jobs and integrate with other tools.
To monitor print activities on your endpoints using Wazuh, you can follow these steps:
- Enable print logging on Windows 10 endpoints: By default, Windows logs print events in the "Microsoft-Windows-PrintService/Operational" event log. Ensure that the print logging is enabled on your Windows 10 endpoints by going to "Event Viewer" > "Applications and Services Logs" > "Microsoft" > "Windows" > "PrintService" > "Operational". If logging is not enabled, right-click on "Operational" and select "Enable Log".
- Configure Wazuh to collect Windows event logs: On your Wazuh server, you need to configure the Windows agent to collect event logs from the Windows 10 endpoints. Locate the agent configuration file (e.g., C:\Program Files (x86)\ossec-agent\ossec.conf) on each Windows endpoint and add the following configuration within the <localfile> section
<localfile>
<location>Microsoft-Windows-PrintService/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html?highlight=eventchannel#monitor-the-windows-event-channel-with-wazuh
<location>Microsoft-Windows-PrintService/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html?highlight=eventchannel#monitor-the-windows-event-channel-with-wazuh
- Configure Wazuh rules for print events: On the Wazuh server, you need to configure rules to detect and alert on print events. After configuring the agent you will start to get alerts inside /var/ossec/logs/archive/archive.json, from those alerts you can create custom rules to visualize them in the dashboard. Here you have our documentation for the rules https://documentation.wazuh.com/current/user-manual/ruleset/custom.html.
I hope this help!
Regards
Massimiliano De Falco
Aug 29, 2023, 8:29:42 AM8/29/23
to Wazuh | Mailing List
Good morning to all,
can you help me to write a local_rule for log all document printed. I need to know the document name and the printer name please.
Reply all
Reply to author
Forward
0 new messages