topic Setting-up an Alert for Computer Booting in Safe Mode in Alerting

Setting-up an Alert for Computer Booting in Safe Mode

drizzo — Tue, 27 Jun 2017 17:17:06 GMT

The Problem:
I'm attempting to setup an alert for if one of my forwarder machines boots in Safe Mode. The data that's retrieved from Windows Event Viewer and Splunk Web Interface regarding booting-ups is:

EventCode=12
EventType=4
Source: Kernal-General
Message: The operating system started at system time <respected time stamp>

Unfortunately, the above data is the same for both booting normally and booting in Safe Mode. The only way I can tell which is which, is from within the Windows Event Viewer, under the log's "Details", the variable BootMode will contain either a value of '0' for normal boot, or a value of '1' for Safe Mode boot.

The Question:
Is there a way (in Splunk) that I can search for this particular "BootMode" variable with its respected value? Otherwise, perhaps a different way to capture an event for Safe Mode Boot-ups?

Re: Setting-up an Alert for Computer Booting in Safe Mode

maciep — Sat, 01 Jul 2017 13:00:59 GMT

do you know how you are collecting event log data? I don't have windows data in front of me at the moment, but if the forwarder is configured to ingest event log data, you should have more in the event than your top screenshot. Not sure if you are actually searching the logs in Splunk or maybe just using a dashboard that was made available to you?

Re: Setting-up an Alert for Computer Booting in Safe Mode

niketn — Sun, 02 Jul 2017 05:01:44 GMT

@drizzo, you would need to switch Event Log data from User Friendly log to XML while indexing for achieving this. renderXML = 1
Following needs to be added to your existing Windows Security Event Log:

[WinEventLog://Security]
renderXml = 1

Since data is in XML you will not have search fields extracted by default. (I think it will impact your whitelist and/or blacklist as well leading to increased disc space utilization because of XML Data and additional events. If it is required, maybe you can use nullQueues to filter only required events)

I have attached a sample query to Filter EventID 12 and extract BootMode.
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Disable_an_event_log_stanza

Re: Setting-up an Alert for Computer Booting in Safe Mode

drizzo — Mon, 03 Jul 2017 10:58:44 GMT

I have it configured to take pretty much every type of Event Log whether if it is Security, System, Application, or general performance. The picture above is just a screenshot of me narrowing it down for my post.

Re: Setting-up an Alert for Computer Booting in Safe Mode

maciep — Mon, 03 Jul 2017 11:06:17 GMT

ah ok. I have a windows machine in front of me now and see it's not there. I'd say give niketnilay's answer a shot.

Re: Setting-up an Alert for Computer Booting in Safe Mode

niketn — Mon, 03 Jul 2017 12:11:39 GMT

@drizzo, Please try out the answer and accept if this works as you expected.
Unfortunately the image did not get uploaded first time. I have uploaded the same again!

Re: Setting-up an Alert for Computer Booting in Safe Mode

drizzo — Mon, 03 Jul 2017 12:20:29 GMT

Yes, thank you. I had my input file variable renderXml=1 which was under [WinEventLog://Security]. However with some tweaking we figured out that I had to change my search type to XmlWinEventLog:System . Thanks again!

Re: Setting-up an Alert for Computer Booting in Safe Mode

drizzo — Mon, 03 Jul 2017 14:25:31 GMT

Yes, just needed time to test things out.

Re: Setting-up an Alert for Computer Booting in Safe Mode

niketn — Tue, 04 Jul 2017 01:54:00 GMT

Yay!!! Glad it worked. Hope your sourcetype is being passed through macro or eventtype so that the change the same at a single place.