topic Re: How to catch is an Application Installed in Getting Data In

How to catch is an Application Installed

a_n — Wed, 14 Jul 2021 07:29:46 GMT

Hi.

I have Splunk on windows network, and collecting data using UF from clients.

I need to make a report for newly installed application on clients.

I am searching for event id 11707 and also 1033, but it seems these event are being logged only if we use Windows Installer.

For example, we installed Notepad++ on a client, and we do not have any event for that.

Can someone please advise?

Thank you.

Re: How to catch is an Application Installed

gcusello — Wed, 14 Jul 2021 09:34:34 GMT

Hi @a_n,

if you use the Splunk Windows TA on your Windows servers and enable the application discovery, you'll have the list of all installed applications, with the installation date, so you can check the newly installed ones.

Ciao.

Giuseppe

Re: How to catch is an Application Installed

a_n — Thu, 15 Jul 2021 07:47:42 GMT

Hello @gcusello ,

Thank you, I have Windows TA but in the config I have [WinEventLog://Application], would you please advise about Discovery? and how to enable/use it?
Or a reference please?

Appreciate your advise.

Thank you

Re: How to catch is an Application Installed

gcusello — Thu, 15 Jul 2021 08:09:36 GMT

Hi @a_n,

see in in your logs you have

the following data:

index=windows sourcetype=WinHostMon Type=Application

If yes, you can run a simple search like this:

If you haven't those data, you have to add to your TA-Windows a script containing this command:

Get-WmiObject -Class Win32_Product *

and launch it from inputs.conf e.g. one time a day.

To know how to use a scripted input see at https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

Ciao.

Giuseppe

Re: How to catch is an Application Installed

a_n — Thu, 15 Jul 2021 09:18:46 GMT

@gcusello
Appreciate your advices.

When I try

sourcetype=WinHostMon Type=Application

I do not have data back.
when I run

Get-WmiObject -Class Win32_Product *

in powershell it gets data , but nothing on install date.

I tried to modify the inputs.conf and add:

[WinHostMon://application] type = application interval = 60

but no data ingested.
Unfortunately I got lost with the scripting method.
Isn't it possible just to modify the inputs.conf?
Thank you again.

Re: How to catch is an Application Installed

gcusello — Thu, 15 Jul 2021 09:23:33 GMT

Hi @a_n,

the first method I described was used until last year, but then Microsoft changed something so it isn't possible to have those data.

The only way is a powershell script like the one I described.

I'm not a powershell expert so I cannot help you in this (infact the above script was done by one of my colleagues), see in that direction because it's the right way..

Ciao.

Giuseppe

Re: How to catch is an Application Installed

a_n — Thu, 15 Jul 2021 09:25:28 GMT

@gcusello
Appreciate your support ad assistance.

Thank you