Alerting

Setting-up an Alert for Computer Booting in Safe Mode

drizzo
Path Finder

The Problem:
I'm attempting to setup an alert for if one of my forwarder machines boots in Safe Mode. The data that's retrieved from Windows Event Viewer and Splunk Web Interface regarding booting-ups is:

EventCode=12
EventType=4
Source: Kernal-General
Message: The operating system started at system time <respected time stamp>

Unfortunately, the above data is the same for both booting normally and booting in Safe Mode. The only way I can tell which is which, is from within the Windows Event Viewer, under the log's "Details", the variable BootMode will contain either a value of '0' for normal boot, or a value of '1' for Safe Mode boot.

alt text

The Question:
Is there a way (in Splunk) that I can search for this particular "BootMode" variable with its respected value? Otherwise, perhaps a different way to capture an event for Safe Mode Boot-ups?

0 Karma
1 Solution

niketn
Legend

@drizzo, you would need to switch Event Log data from User Friendly log to XML while indexing for achieving this. renderXML = 1
Following needs to be added to your existing Windows Security Event Log:

[WinEventLog://Security]
renderXml = 1

Since data is in XML you will not have search fields extracted by default. (I think it will impact your whitelist and/or blacklist as well leading to increased disc space utilization because of XML Data and additional events. If it is required, maybe you can use nullQueues to filter only required events)

I have attached a sample query to Filter EventID 12 and extract BootMode.
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Disable_an_event_...
alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@drizzo, you would need to switch Event Log data from User Friendly log to XML while indexing for achieving this. renderXML = 1
Following needs to be added to your existing Windows Security Event Log:

[WinEventLog://Security]
renderXml = 1

Since data is in XML you will not have search fields extracted by default. (I think it will impact your whitelist and/or blacklist as well leading to increased disc space utilization because of XML Data and additional events. If it is required, maybe you can use nullQueues to filter only required events)

I have attached a sample query to Filter EventID 12 and extract BootMode.
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Disable_an_event_...
alt text

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

drizzo
Path Finder

Yes, thank you. I had my input file variable renderXml=1 which was under [WinEventLog://Security]. However with some tweaking we figured out that I had to change my search type to XmlWinEventLog:System . Thanks again!

0 Karma

niketn
Legend

Yay!!! Glad it worked. Hope your sourcetype is being passed through macro or eventtype so that the change the same at a single place.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@drizzo, Please try out the answer and accept if this works as you expected.
Unfortunately the image did not get uploaded first time. I have uploaded the same again!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

drizzo
Path Finder

Yes, just needed time to test things out.

0 Karma

maciep
Champion

do you know how you are collecting event log data? I don't have windows data in front of me at the moment, but if the forwarder is configured to ingest event log data, you should have more in the event than your top screenshot. Not sure if you are actually searching the logs in Splunk or maybe just using a dashboard that was made available to you?

0 Karma

drizzo
Path Finder

I have it configured to take pretty much every type of Event Log whether if it is Security, System, Application, or general performance. The picture above is just a screenshot of me narrowing it down for my post.

0 Karma

maciep
Champion

ah ok. I have a windows machine in front of me now and see it's not there. I'd say give niketnilay's answer a shot.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...