All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring Windows Update on Windows 10

gcusello
SplunkTrust
SplunkTrust
‎07-18-2017 07:26 AM

Hi at all,
I have to monitor a Windows 10 machine and I'm interested to Windows Updates.
In Windows 7 there was a text file called WindowsUpdate.log, monitored by Splunk_TA_Windows that there isn't in Windows 10.
Someone knows if there's already a solution in Splunk?

I'm able to find Windows Updates in Event Viewer (Installation section).
I know that it's possible to write in a file all WindowsUpdates using a PowerShell Script found on Internet but I'd prefer a Splunk solution.

Someone can help me?

Thank you.
Giuseppe

Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-18-2017 07:59 AM

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

View solution in original post

Preview file
126 KB
Preview file
131 KB
Reply
Solved! Jump to solution

tomasmoser
Contributor
‎01-10-2018 01:03 AM

Hi,

I tried to replicate "Accepted Answer" and it does not work on my Windows 10 SLTB. If I try to subscribe to a direct channel I get this in windows logs via Splunk index=_internal.

01-09-2018 17:26:30.184 +0100 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-WindowsUpdateClient/Analytic': errorCode=15009

Error code 15009 means:

ERROR_EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL
15009 (0x3AA1)
The caller is trying to subscribe to a direct channel which is not allowed. The events for a direct channel go directly to a logfile and cannot be subscribed to.

Windows suggest script Get-WindowsUpdateLog does not work - decoded log records C:\Windows\WindowsUpdate.log are unreadable - something with missing symbols. The same issue seems to have half of Windows admins on the Internet.

How to fix this?

Tom

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎07-18-2017 07:59 AM

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

Preview file
126 KB
Preview file
131 KB
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-18-2017 08:30 AM

Surely, it helps me because it's what I was searching.
But where is this inputs.conf?
it isn't in the last version of Splunk_TA_Windows.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-18-2017 08:49 AM

i add it using the GUI on a windows install
settings -> data inputs -> local event log collection -> pick the logs i want to collect
then if needed i copy and distribute to other windows hosts

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-20-2017 01:12 AM

Hi adonio,
Thank you, this solved my problems.
It's strange that there isn't on the last TA Windows!
Probably in TA_Windows there are other problems like this!
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎07-20-2017 04:58 AM

i think there are ~100 (or more) different inputs for windows logs.
only 3 are introduced "outside of the box" with the TA
the rest are left for users to pickup by themselves

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...