All Apps and Add-ons

Monitoring Windows Update on Windows 10

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I have to monitor a Windows 10 machine and I'm interested to Windows Updates.
In Windows 7 there was a text file called WindowsUpdate.log, monitored by Splunk_TA_Windows that there isn't in Windows 10.
Someone knows if there's already a solution in Splunk?

I'm able to find Windows Updates in Event Viewer (Installation section).
I know that it's possible to write in a file all WindowsUpdates using a PowerShell Script found on Internet but I'd prefer a Splunk solution.

Someone can help me?

Thank you.
Giuseppe

1 Solution

adonio
Ultra Champion

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

View solution in original post

tomasmoser
Contributor

Hi,

I tried to replicate "Accepted Answer" and it does not work on my Windows 10 SLTB. If I try to subscribe to a direct channel I get this in windows logs via Splunk index=_internal.

01-09-2018 17:26:30.184 +0100 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-WindowsUpdateClient/Analytic': errorCode=15009

Error code 15009 means:

ERROR_EVT_SUBSCRIPTION_TO_DIRECT_CHANNEL
15009 (0x3AA1)
The caller is trying to subscribe to a direct channel which is not allowed. The events for a direct channel go directly to a logfile and cannot be subscribed to.

Windows suggest script Get-WindowsUpdateLog does not work - decoded log records C:\Windows\WindowsUpdate.log are unreadable - something with missing symbols. The same issue seems to have half of Windows admins on the Internet.

How to fix this?

Tom

0 Karma

adonio
Ultra Champion

hello @cusello,
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
index = wineventlog
start_from = oldest

here is how it looks like in splunk:
alt text

alt text

hope it helps

gcusello
SplunkTrust
SplunkTrust

Surely, it helps me because it's what I was searching.
But where is this inputs.conf?
it isn't in the last version of Splunk_TA_Windows.
Bye.
Giuseppe

0 Karma

adonio
Ultra Champion

i add it using the GUI on a windows install
settings -> data inputs -> local event log collection -> pick the logs i want to collect
then if needed i copy and distribute to other windows hosts

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi adonio,
Thank you, this solved my problems.
It's strange that there isn't on the last TA Windows!
Probably in TA_Windows there are other problems like this!
Bye.
Giuseppe

0 Karma

adonio
Ultra Champion

i think there are ~100 (or more) different inputs for windows logs.
only 3 are introduced "outside of the box" with the TA
the rest are left for users to pickup by themselves

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...