All Apps and Add-ons

Where can I get SystemUpTime to configure Anomalous System Uptime in the Splunk App for PCI Compliance?

kmedina1
Explorer

Folks,

I am looking to configure the Anomalous System Uptime report within the PCI app. As per the manual: "Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts." Is then the Splunk_TA_windows pre-configured to pull the SystemUpTime? I cannot seem to find anything related to system uptime within the Windows logs; I tried looking at the data by doing sourcetype=Win*.

What does "data extracted through scripts" mean? Is this something that the Splunk Admin has to pull via Scripted Inputs?

Thanks!

http://docs.splunk.com/Documentation/PCI/2.1.1/Install/AnomalousSystemUpdate

0 Karma

Richfez
SplunkTrust
SplunkTrust

There is a system uptime reported by windows as part of the system events around midnight each night. Some details on the event with the portions I think are pertinent to finding these events in bold:

LogName=System
SourceName=EventLog
EventCode=6013
EventType=4
Type=Information
ComputerName=MyComputerName
TaskCategory=None
OpCode=None
RecordNumber=93763
Keywords=Classic
Message=The system uptime is 7593 seconds

If it isn't extracted, you could of course exctract the uptime with a rex, perhaps like

... | rex field=Message "uptime is (?<uptime>\d+) seconds"

So if that's needed, there it is.

For ease of use, if you wanted, here's a few more calculations:

sourcetype="WinEventLog:system" EventCode=6013 
|rex field=Message "uptime is (?<uptime>\d+) seconds" 
| eval Uptime_Minutes=uptime/60 
| eval LastBoot=_time-uptime 
| convert  ctime(LastBoot) 
| table _time, host, Message, uptime, Uptime_Minutes, LastBoot

Have fun!

0 Karma

prshntgbhat
New Member

Great.. It helped..

0 Karma

kmedina1
Explorer

Thanks rich! Actually, what I was looking was more on the line of Scripted Inputs. By going to WMI.conf we were able to enable the call that brings back the SystemUpTime and light up one of the dashboards of the PCI App.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Your comment sounds like you solved the problem on your own.

If that is the case, why don't you convert your comment above to an answer, add a bit more detail to make it easier for others with this problem to follow along, then mark your answer as The One True Answer? It is OK to do that when it's appropriate and it'll help people in the future!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...