This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

System Reboot Logs

AtulChavan
Beginner
Beginner

‎2016-11-24 03:40 AM

Hi Guys,

 

I want to create Windows/Linux shutdown/restart use case. For Windows, if use event id 1074, I can see two events for each server.

1) process as explorer.exe and result code as 0x84040001

2) process as winlogon.exe and result code as 0x500ff

 

To create proper windows shutdown/restart rule, which event id I should use? IS there anything else which I can use to drill down this situations.

 

Also for Linux servers which condition I should use to create such rule.

 

Need you help.

1 REPLY 1

MohdSaadKhan
Frequent Contributor
Frequent Contributor

‎2016-11-25 04:05 AM

For windows you can simply use reference id i.e. 513,4609 (Windows shutting down) and 4608 (Windows starting up)

 

And for Linux/Unix systems you will get "System.Shutdown" and "System.Reboots" value under 'event.cat.name' or 'event.desc' meta.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.