Alerting
Highlighted

Setting-up an Alert for Computer Booting in Safe Mode

Path Finder

The Problem:
I'm attempting to setup an alert for if one of my forwarder machines boots in Safe Mode. The data that's retrieved from Windows Event Viewer and Splunk Web Interface regarding booting-ups is:

EventCode=12
EventType=4
Source: Kernal-General
Message: The operating system started at system time <respected time stamp>

Unfortunately, the above data is the same for both booting normally and booting in Safe Mode. The only way I can tell which is which, is from within the Windows Event Viewer, under the log's "Details", the variable BootMode will contain either a value of '0' for normal boot, or a value of '1' for Safe Mode boot.

alt text

The Question:
Is there a way (in Splunk) that I can search for this particular "BootMode" variable with its respected value? Otherwise, perhaps a different way to capture an event for Safe Mode Boot-ups?

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Champion

do you know how you are collecting event log data? I don't have windows data in front of me at the moment, but if the forwarder is configured to ingest event log data, you should have more in the event than your top screenshot. Not sure if you are actually searching the logs in Splunk or maybe just using a dashboard that was made available to you?

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Path Finder

I have it configured to take pretty much every type of Event Log whether if it is Security, System, Application, or general performance. The picture above is just a screenshot of me narrowing it down for my post.

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Champion

ah ok. I have a windows machine in front of me now and see it's not there. I'd say give niketnilay's answer a shot.

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Legend

@drizzo, you would need to switch Event Log data from User Friendly log to XML while indexing for achieving this. renderXML = 1
Following needs to be added to your existing Windows Security Event Log:

[WinEventLog://Security]
renderXml = 1

Since data is in XML you will not have search fields extracted by default. (I think it will impact your whitelist and/or blacklist as well leading to increased disc space utilization because of XML Data and additional events. If it is required, maybe you can use nullQueues to filter only required events)

I have attached a sample query to Filter EventID 12 and extract BootMode.
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Disable_an_event_...
alt text




| eval message="Happy Splunking!!!"


View solution in original post

Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Legend

@drizzo, Please try out the answer and accept if this works as you expected.
Unfortunately the image did not get uploaded first time. I have uploaded the same again!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Path Finder

Yes, just needed time to test things out.

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Path Finder

Yes, thank you. I had my input file variable renderXml=1 which was under [WinEventLog://Security]. However with some tweaking we figured out that I had to change my search type to XmlWinEventLog:System . Thanks again!

0 Karma
Highlighted

Re: Setting-up an Alert for Computer Booting in Safe Mode

Legend

Yay!!! Glad it worked. Hope your sourcetype is being passed through macro or eventtype so that the change the same at a single place.




| eval message="Happy Splunking!!!"


0 Karma