All Apps and Add-ons

Where can I get SystemUpTime to configure Anomalous System Uptime in the Splunk App for PCI Compliance?

Explorer

Folks,

I am looking to configure the Anomalous System Uptime report within the PCI app. As per the manual: "Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts." Is then the Splunk_TA_windows pre-configured to pull the SystemUpTime? I cannot seem to find anything related to system uptime within the Windows logs; I tried looking at the data by doing sourcetype=Win*.

What does "data extracted through scripts" mean? Is this something that the Splunk Admin has to pull via Scripted Inputs?

Thanks!

http://docs.splunk.com/Documentation/PCI/2.1.1/Install/AnomalousSystemUpdate

0 Karma

SplunkTrust
SplunkTrust

There is a system uptime reported by windows as part of the system events around midnight each night. Some details on the event with the portions I think are pertinent to finding these events in bold:

LogName=System
SourceName=EventLog
EventCode=6013
EventType=4
Type=Information
ComputerName=MyComputerName
TaskCategory=None
OpCode=None
RecordNumber=93763
Keywords=Classic
Message=The system uptime is 7593 seconds

If it isn't extracted, you could of course exctract the uptime with a rex, perhaps like

... | rex field=Message "uptime is (?<uptime>\d+) seconds"

So if that's needed, there it is.

For ease of use, if you wanted, here's a few more calculations:

sourcetype="WinEventLog:system" EventCode=6013 
|rex field=Message "uptime is (?<uptime>\d+) seconds" 
| eval Uptime_Minutes=uptime/60 
| eval LastBoot=_time-uptime 
| convert  ctime(LastBoot) 
| table _time, host, Message, uptime, Uptime_Minutes, LastBoot

Have fun!

0 Karma

New Member

Great.. It helped..

0 Karma

Explorer

Thanks rich! Actually, what I was looking was more on the line of Scripted Inputs. By going to WMI.conf we were able to enable the call that brings back the SystemUpTime and light up one of the dashboards of the PCI App.

0 Karma

SplunkTrust
SplunkTrust

Your comment sounds like you solved the problem on your own.

If that is the case, why don't you convert your comment above to an answer, add a bit more detail to make it easier for others with this problem to follow along, then mark your answer as The One True Answer? It is OK to do that when it's appropriate and it'll help people in the future!

0 Karma