When an endpoint installs an update or removes a threat, a reboot may be required. If automatic reboots are disabled, Nebula displays the reboot-required status and the reason. If automatic reboots are enabled, endpoints may restart during working hours, causing end users to lose unsaved work.
Use this article to investigate why an endpoint rebooted at a specific time.
Before you begin: Note the exact time the reboot occurred. This will significantly speed up locating the relevant log entry.
Step 1: Find the reboot code in the logs
The endpoint agent logs contain a reboot event entry that includes a reboot code. Follow these steps to locate it.
- Collect the endpoint logs using the ThreatDown log collection guide.
- In the collected logs, navigate to and open Logs/EndpointAgent.txt
- Use Find (Ctrl+F) to search for the following string:
event.machine.reboot.required
- Locate the matching log entry. It will appear in a payload similar to the one below:
{ "type": "BOOMERANG_EVENT", "data": "{\"event_name\":\"event.machine.reboot.required\", \"timestamp\":\"2023-08-09T18:05:15Z\", \"event_details\":{\"reasons\":2}}"
- In the payload, find the \"reasons\" field and note the number. Entries with a value of 0 indicate normal operation and can be ignored.
Step 2: Identify the reason for the reboot
Use the table below to match the reboot code from the previous step to its cause.
Note: If multiple conditions triggered the reboot, the code will be the sum of the individual reason codes. For example, a code of 5 indicates both a detection-based reboot (1) and a ThreatDown software update (4).
| Reboot Code | Reason |
|---|---|
| 0 | No reboot required |
| 1 | A detection was found that requires a reboot to fully remediate |
| 2 | ThreatDown software was installed |
| 4 | ThreatDown software was updated |
| 16 | A software update was applied by Vulnerability and Patch Management |
| 32 | An operating system patch was applied by Vulnerability and Patch Management |
| 64 | An operating system patch was applied outside of ThreatDown software |
| 17293822569102704640 (0xF000000000000000) | Unknown |
Step 3: Adjust reboot settings
Based on the reboot reason identified above, you may want to update your reboot policies or Patch Management schedules to allow automatic reboots going forward.
- Endpoint agent reboot policies: Endpoint agent policy settings in Nebula
- Patch Management schedules: Update software with Patch Management in Nebula