Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Ingest and Parse WSUS Logs from WID Database into Splunk?

refahiati
Explorer
‎10-19-2024 02:25 AM

Hello,

I have a WSUS server that is using the Windows Internal Database (WID). I would like to ingest WSUS service logs into Splunk, store them, and then parse them for further analysis. Could someone guide me on the best approach to achieve this?

Specifically:

  1. What is the best way to configure Splunk to collect logs from the WSUS service (and database if necessary)?
  2. Are there any best practices or recommended add-ons for parsing and indexing WSUS logs in Splunk?

Thanks in advance for your help!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-19-2024 06:22 AM

If WSUS writes events to event log or flat files, you can use the usual methods (wineventlog and monitor inputs) to obtain that data.

WID is another story - it's an embedded component and cannot be queried from remote so the only way to access it would be by some component installed directly on the WSUS server.

The most obvious way to access a MSSQL database which is using DBConnect will fail however because Microsoft's JDBC driver for MSSQL is a pure-Java implementation and only uses TCP/IP connectivity. You could try using jTDS driver but this is unsupported and generally unexplored territory. In other words you're on your own here.

You could also try using SQL Studio and tools contained therein to script some queries against database and write results to a file but again - I don't think that's something people do often and you're unlikely to find a ready-made solution.

There is a third-party (not Splunk-supported) add-on and app for WSUS on Splunkbase but the add-on assumes connectivity to WSUS database using DBConnect (which means a WSUS setup with an external MS SQL instance). But you can look into it to find the queries you need if you decide to implement the ingestion process on your own.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎10-19-2024 06:22 AM

If WSUS writes events to event log or flat files, you can use the usual methods (wineventlog and monitor inputs) to obtain that data.

WID is another story - it's an embedded component and cannot be queried from remote so the only way to access it would be by some component installed directly on the WSUS server.

The most obvious way to access a MSSQL database which is using DBConnect will fail however because Microsoft's JDBC driver for MSSQL is a pure-Java implementation and only uses TCP/IP connectivity. You could try using jTDS driver but this is unsupported and generally unexplored territory. In other words you're on your own here.

You could also try using SQL Studio and tools contained therein to script some queries against database and write results to a file but again - I don't think that's something people do often and you're unlikely to find a ready-made solution.

There is a third-party (not Splunk-supported) add-on and app for WSUS on Splunkbase but the add-on assumes connectivity to WSUS database using DBConnect (which means a WSUS setup with an external MS SQL instance). But you can look into it to find the queries you need if you decide to implement the ingestion process on your own.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...