Deployment Architecture

How to create search/dashboard of Ubuntu hosts with installed updates requiring a reboot?

cinchnetops
Explorer

I'm trying to create a specific search/dashboard in Splunk Enterprise 7. We have hosts running Ubuntu 14.04 with the unattended-upgrades package installed and configured to run daily. When updates are installed that require a reboot, 2 files are created on each host: /var/run/reboot-required (with the text "*** System restart required ***") and /var/run/reboot-required.pkgs (containing the packages requesting the reboot). These files are removed upon rebooting the host.

The hosts have the universal forwarder installed and I have the 2 files mentioned above forwarded to our Splunk Enterprise server. Currently, I have this search set up as an alert:

sourcetype=reboot-required.pkgs | rex max_match=0 field=_raw "(?<Packages>[^\n]+)" | mvexpand Packages | eval _raw=Packages | stats values(Packages) as Packages dc(Packages) as "Package Count" by host

Within a given time period, I can see which hosts require a reboot and what packages are prompting the reboot.

Unfortunately, this search/dashboard does not give me the entire overview of ALL my hosts at THIS moment. For example, if I have hosts that last installed updates requiring a reboot a week ago, but have NOT since been rebooted, I would not see these hosts in the search results within the last 3 days (since there are no changes to the /var/run/reboot-required* files). However, I do expect to see no results IF the reboot-required* files do NOT exist on any host.

I want to get the latest status from the reboot-required* files on EACH host regardless of time frame. What is the best way to go about this?

Thanks in advance!

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...