Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

Download topic as PDF

Anomalous System Uptime

This report provides a list of servers that have not had been rebooted in 30 days or more. Use this report to identify systems that might be vulnerable to attack.

Systems often need to be rebooted after patches are applied. Systems that have not been rebooted might still be vulnerable to compromise. PCI DSS requires that high and/or critical patches be applied within 30 days.

Relevant data sources

Relevant data sources for this report include uptime data extracted through scripts from Windows, Unix, or other hosts.

How to configure this report

  1. Index uptime information captured through scripts from relevant hosts.
  2. Map the uptime data to the following Common Information Model fields: dest, uptime. CIM-compliant add-ons for these data sources perform this step for you.
  3. Tag the uptime data with "uptime", "performance", and "os".
  4. Set the should_timesync column to true for assets in the asset table that should synchronize their clocks.

Report description

The Anomalous System Update report is populated by the Performance data model and the asset table.

Useful searches for troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that uptime data is available in Splunk platform. tag=uptime tag=os tag=performance Returns uptime data.
Verify that fields are normalized and available as expected. tag=uptime tag=os tag=performance | fields dest, uptime
or `uptime`
Returns uptime data fields.
PREVIOUS
System Update Status
  NEXT
PCI Command History

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters