In order to identify the cause of a BSOD, the computer must be configured to write a memory dump file to disk. This dump file can subsequently be analyzed in WinDbg. In some cases, WinDbg is able to point to a driver as the likely root cause of the blue screen. In other cases, kernel memory may be too corrupted for that to be possible. Analyzing those second type of dumps requires expert-level know-how.
uberAgent does not analyze memory dumps, therefore it cannot suggest which driver might have caused a blue screen. Instead, uberAgent helps identify common issues that warrant further troubleshooting.
To analyze blue screens with uberAgent:
Mini dump event should be in system event log.
Splunk should not be used to read the minidump though. Instead you need a process that’s enforced by active directory, or other policies. The process should detect the bsod occurred using the wineventlog and then upload the minidump to a server that can then debug the dump and post those results into a file that splunk would then ingest.
You need an entire architecture around this process but using helge’s answer + learning windbg or kd + building something custom for yourself.
Thanks Helge.. I am aware of other details of troubleshooting.. Just wanted to check if via Splunk, we enable C:\Windows\minidump file being monitored, we can then use the Windows Tool to debug further...
Currently I dont see this configured .. So wanted to check if there is way to configure this like a on-demand metrics as BSOD does not occur on all always.. Whenever it occurs, Splunk should be able to capture relevant date/time of the event along with minidump file.
Small memory dumps, typically placed in the
C:\Windows\Minidump directory, are written if the system is configured to do so in the "Startup and Recovery" dialog. They provide an alternative to kernel or complete memory dumps which are typically stored in
There are some tools available to analyze small memory dumps: NirSoft BlueScreenView (http://www.nirsoft.net/utils/blue_screen_view.html) and Microsoft's DumpChk (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/dumpchk). You might be able to automate the analysis of small memory dumps with the help of these tools and a script executed through Universal Forwarder or uberAgent.
How does Uber report on BSOD from a PC. Is it from any event viewer, if so, which ath within Event Viewer?
If nt Event Viewer, how des Uber record BSOD occurences on any PC.
I am interested t know the path on the PC it picks data from.
Which means everytime Event Code 41 occurs, it is considered as BSOD occurence?
There is another Surce by Name BugCheck, Is this info not taken up by UberAgent?
We need some discussion on this topic if you can help me arrange a call as we are seeing the data generated for example: for the month of Aug, Sep and Oct on Nov 7th and for the same months (Aug, Sep and Oct ) on Dec 19th, numbers are varying . Idealy it should be same. So we need guidance on how t troubeshoot this further.
I am from PwC Account.
It would be great if you r someone from your team can have a call with us, invite to firstname.lastname@example.org for discussing on this. please