How to create an alert for when McAfee services ar...

ravisplunksap · ‎12-21-2016

Hi All,

I want to create an alert for McAfee services stopped for the Windows hosts. Meanwhile every time McAfee services entered in to running state frequently. So I want to create a search that if the McAfee service is in a stopped state at least for 1 hour (i.e. it shouldn't go to entered state within this 1 hr). So, i have created below search to trigger an alert:

index=*windows EventCode=7036 host_status="Live" Message="The McAfee McShield service entered the stopped state." | transaction Message maxspan=60min maxpause=1min | table _time host host_status Message EventCode tic_customer

Is this the right method or should I modify this search?

Please assist here.

richgalloway · ‎12-22-2016

Your query looks for the stopped state, but not the running state so you'll not find the services that have restarted. Try this.

index=*windows EventCode=7036 host_status="Live" (Message="The McAfee McShield service entered the stopped state." OR Message="The McAfee McShield service entered the running state.") | dedup host | where _time < relative_time(now(), "-1h") | where  Message="The McAfee McShield service entered the stopped state." | table _time host host_status Message EventCode tic_customer

---
If this reply helps you, Karma would be appreciated.

How to create an alert for when McAfee services are stopped for 1 hour?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!