Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor a windows service, send an alert and restart the service?

mtoddsmith
Engager
‎05-11-2012 02:09 PM

How can we to monitor various windows services and send alerts when they are down and optionally attempt to restart the service via splunk.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-11-2012 02:56 PM

use the sc. exe command to check on the status of each service.

DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.

C:\Documents and Settings\chubbybunny.hare>sc.exe query SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

craft a splunk search for 'STATE STOPPED'

C:\Documents and Settings\chubbybunny.hare>sc.exe query SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

add an Alert action to 'Run a script' to start the service

C:\Documents and Settings\chubbybunny.hare>sc.exe start SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 4000
        FLAGS              :

upVote the Chubbybunny if it helps!

(\__/)
(='.'=)
(")_(")

View solution in original post

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎05-11-2012 02:59 PM

We accomplish half of this via WMI. Add this to wmi.conf and push it out via deployment server (or however you push out configs)

[WMI:Services]
interval = 60
disabled = 0
index = default
wql = select Name, ProcessId, Caption, DisplayName, State, Status, StartName, SystemName from Win32_Service

Once you're collecting data, then searching/alerting on services that are not in the right status is pretty simple.

Reply
Solved! Jump to solution

noy72
New Member
‎02-19-2019 11:26 AM

I have added the additional displaynames to my WMI.conf file on the SCCM forwarder, I have veified that the WMI namespace on SCCM has theapropriate permissions and I have verified that Splunk is receiving WMI data. Can someone help me out with a query to veify the status of SCCM specific services?
Thank you
Ron Jones

0 Karma
Reply
Solved! Jump to solution

noy72
New Member
‎02-20-2019 09:16 AM

After verifing the above, al searches started working. I apreciate the assistance.
Ron Jones

0 Karma
Reply
Solved! Jump to solution
Solution

Chubbybunny
Splunk Employee
Splunk Employee
‎05-11-2012 02:56 PM

use the sc. exe command to check on the status of each service.

DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.

C:\Documents and Settings\chubbybunny.hare>sc.exe query SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

craft a splunk search for 'STATE STOPPED'

C:\Documents and Settings\chubbybunny.hare>sc.exe query SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

add an Alert action to 'Run a script' to start the service

C:\Documents and Settings\chubbybunny.hare>sc.exe start SplunkForwarder

SERVICE_NAME: SplunkForwarder
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 4000
        FLAGS              :

upVote the Chubbybunny if it helps!

(\__/)
(='.'=)
(")_(")
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...