I'm attempting to setup an alert for if one of my forwarder machines boots in Safe Mode. The data that's retrieved from Windows Event Viewer and Splunk Web Interface regarding booting-ups is:
EventCode=12 EventType=4 Source: Kernal-General Message: The operating system started at system time <respected time stamp>
Unfortunately, the above data is the same for both booting normally and booting in Safe Mode. The only way I can tell which is which, is from within the Windows Event Viewer, under the log's "Details", the variable BootMode will contain either a value of '0' for normal boot, or a value of '1' for Safe Mode boot.
Is there a way (in Splunk) that I can search for this particular "BootMode" variable with its respected value? Otherwise, perhaps a different way to capture an event for Safe Mode Boot-ups?
do you know how you are collecting event log data? I don't have windows data in front of me at the moment, but if the forwarder is configured to ingest event log data, you should have more in the event than your top screenshot. Not sure if you are actually searching the logs in Splunk or maybe just using a dashboard that was made available to you?
I have it configured to take pretty much every type of Event Log whether if it is Security, System, Application, or general performance. The picture above is just a screenshot of me narrowing it down for my post.
ah ok. I have a windows machine in front of me now and see it's not there. I'd say give niketnilay's answer a shot.
@drizzo, you would need to switch Event Log data from User Friendly log to XML while indexing for achieving this.
renderXML = 1
Following needs to be added to your existing Windows Security Event Log:
[WinEventLog://Security] renderXml = 1
Since data is in XML you will not have search fields extracted by default. (I think it will impact your whitelist and/or blacklist as well leading to increased disc space utilization because of XML Data and additional events. If it is required, maybe you can use nullQueues to filter only required events)
I have attached a sample query to Filter EventID 12 and extract BootMode.
Refer to documentation for details: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Disable_an_event_...
@drizzo, Please try out the answer and accept if this works as you expected.
Unfortunately the image did not get uploaded first time. I have uploaded the same again!
Yes, thank you. I had my input file variable renderXml=1 which was under [WinEventLog://Security]. However with some tweaking we figured out that I had to change my search type to XmlWinEventLog:System . Thanks again!
Yay!!! Glad it worked. Hope your sourcetype is being passed through macro or eventtype so that the change the same at a single place.