Alert when a Windows Service stops

Razzi

I am fairly new to the Splunk platform/ community; I am in learning mode 😞 and I hope to get some help here. How do I set up/configure an alert on a set of Windows Servers to notify me when a particular set of services stops? For example, I have three services that start with the naming of TDB, how can I configure Splunk to alert if any of those services stop on a particular server name. Thanks much.

gcusello

Hi @Razzi,

you should define the fields that you can use to identify the fields to use:

host (it's the host present in each log),
process.

Then you should create a lookup (called e.g. perimeter.csv) containing the hosts to monitor (supponing that the three services to monitor must be active in all the servers).

Then you should run a search like the following:

index=<your_index> process IN (TBD1, TBD2, TBD3)
| stats 
    dc(process) AS process_count 
    values(process) AS process 
    count 
    BY host
| append [ 
    | inputlookup perimeter.csv 
    | eval count=0
    | fields host count
    ]
| stats 
    dc(process) AS process_count 
    values(process) AS process 
    sum(count) AS total
    BY host
| where total=0 OR process_count<3
| eval status=if(total=0, "missed host", "missed process")
| table host status process
| rename process AS "present processes"

Ciao.

Giuseppe

Alert when a Windows Service stops

alert action

alert condition

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...