This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

System Shutdown / Reboot Meta for Linux/Unix Servers

navis
New Contributor
New Contributor

‎2023-09-19 03:14 AM

Hi Guys,

 

I want to create  shutdown/restart use case for Unix/ Linux servers.

 

For earlier versions of Netwitness, Linux/Unix systems Reboot/ Shutdown events were captured as "System.Shutdown" and "System.Reboots" value under 'event.cat.name' or 'event.desc' Meta.

 

Presently we are using Netwitness 11.7.3.0. I am not able to see such values for UNIX/Linux under 'event.cat.name' or 'event.desc' Meta.

 

Need your assistance.

1 REPLY 1

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2023-10-25 02:48 PM

Navis,

 

One way you can see if there is a parsing issue or if the meta has just been moved would be to investigate against your logs from a server you recently know you have shutdown/rebooted. Use all the other meta available to find the correct log and then have it display all the meta values that were parsed from that log. You should be able to find what you are looking for and what meta key it may be under if the data is parsed from the log event. Once you have done that, then you'll know exactly what meta key to use for future rules/alerts/reports.

 

I hope this helps.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.