Solved: Monitoring Windows Update on Windows 10

gcusello · ‎07-18-2017

Hi at all,
I have to monitor a Windows 10 machine and I'm interested to Windows Updates.
In Windows 7 there was a text file called WindowsUpdate.log, monitored by Splunk_TA_Windows that there isn't in Windows 10.
Someone knows if there's already a solution in Splunk?

I'm able to find Windows Updates in Event Viewer (Installation section).
I know that it's possible to write in a file all WindowsUpdates using a PowerShell Script found on Internet but I'd prefer a Splunk solution.

Someone can help me?

Thank you.
Giuseppe

adonio · ‎07-18-2017

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

View solution in original post

tomasmoser · ‎01-10-2018

Hi,

I tried to replicate "Accepted Answer" and it does not work on my Windows 10 SLTB. If I try to subscribe to a direct channel I get this in windows logs via Splunk index=_internal.

01-09-2018 17:26:30.184 +0100 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-WindowsUpdateClient/Analytic': errorCode=15009

Error code 15009 means:

ERROR_EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL
15009 (0x3AA1)
The caller is trying to subscribe to a direct channel which is not allowed. The events for a direct channel go directly to a logfile and cannot be subscribed to.

Windows suggest script Get-WindowsUpdateLog does not work - decoded log records C:\Windows\WindowsUpdate.log are unreadable - something with missing symbols. The same issue seems to have half of Windows admins on the Internet.

How to fix this?

Tom

adonio · ‎07-18-2017

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

gcusello · ‎07-18-2017

Surely, it helps me because it's what I was searching.
But where is this inputs.conf?
it isn't in the last version of Splunk_TA_Windows.
Bye.
Giuseppe

adonio · ‎07-18-2017

i add it using the GUI on a windows install
settings -> data inputs -> local event log collection -> pick the logs i want to collect
then if needed i copy and distribute to other windows hosts

gcusello · ‎07-20-2017

Hi adonio,
Thank you, this solved my problems.
It's strange that there isn't on the last TA Windows!
Probably in TA_Windows there are other problems like this!
Bye.
Giuseppe

adonio · ‎07-20-2017

i think there are ~100 (or more) different inputs for windows logs.
only 3 are introduced "outside of the box" with the TA
the rest are left for users to pickup by themselves

Monitoring Windows Update on Windows 10

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...