Hi at all,
I have to monitor a Windows 10 machine and I'm interested to Windows Updates.
In Windows 7 there was a text file called WindowsUpdate.log, monitored by SplunkTAWindows that there isn't in Windows 10.
Someone knows if there's already a solution in Splunk?
I'm able to find Windows Updates in Event Viewer (Installation section).
I know that it's possible to write in a file all WindowsUpdates using a PowerShell Script found on Internet but I'd prefer a Splunk solution.
Someone can help me?
hope i understand yuor question correctly,
this is what i have in my inputs.conf to collect update data:
[WinEventLog://Microsoft-Windows-WindowsUpdateClient/Analytic] checkpointInterval = 5 current_only = 0 disabled = 0 index = wineventlog start_from = oldest [WinEventLog://Microsoft-Windows-WindowsUpdateClient/Operational] checkpointInterval = 5 current_only = 0 disabled = 0 index = wineventlog start_from = oldest
here is how it looks like in splunk:
hope it helps
Surely, it helps me because it's what I was searching.
But where is this inputs.conf?
it isn't in the last version of SplunkTAWindows.
i add it using the GUI on a windows install
settings -> data inputs -> local event log collection -> pick the logs i want to collect
then if needed i copy and distribute to other windows hosts
Thank you, this solved my problems.
It's strange that there isn't on the last TA Windows!
Probably in TA_Windows there are other problems like this!
i think there are ~100 (or more) different inputs for windows logs.
only 3 are introduced "outside of the box" with the TA
the rest are left for users to pickup by themselves
I tried to replicate "Accepted Answer" and it does not work on my Windows 10 SLTB. If I try to subscribe to a direct channel I get this in windows logs via Splunk index=_internal.
01-09-2018 17:26:30.184 +0100 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - WinEventLogChannel::init: Init failed, unable to subscribe to Windows Event Log channel 'Microsoft-Windows-WindowsUpdateClient/Analytic': errorCode=15009
Error code 15009 means:
The caller is trying to subscribe to a direct channel which is not allowed. The events for a direct channel go directly to a logfile and cannot be subscribed to.
Windows suggest script Get-WindowsUpdateLog does not work - decoded log records C:\Windows\WindowsUpdate.log are unreadable - something with missing symbols. The same issue seems to have half of Windows admins on the Internet.
How to fix this?