Getting Data In

How to catch is an Application Installed

a_n
Path Finder

Hi.

I have Splunk on windows network, and collecting data using UF from clients.

I need to make a report for newly installed application on clients.

I am searching for event id 11707 and also 1033, but it seems these event are being logged only if we use Windows Installer.

For example, we installed Notepad++ on a client, and we do not have any event for that.

Can someone please advise?

Thank you.

Labels (2)
0 Karma

a_n
Path Finder

Hello @gcusello ,

Thank you, I have Windows TA but in the config I have [WinEventLog://Application], would you please advise about Discovery? and how to enable/use it?
Or a reference please?

Appreciate your advise.

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @a_n,

see in in your logs you have

 the following data:

index=windows sourcetype=WinHostMon Type=Application

If yes, you can run a simple search like this:

index=windows sourcetype=WinHostMon Type=Application
| eval host=upper(host)
| dedup Name 
| sort Name 
| eval InstallDate=strftime(strptime(InstallDate,"%Y%m%d"),"%d/%m/%Y")
| table Name Vendor Version SerialNumber InstallDate InstallLocation

If you haven't those data, you have to add to your TA-Windows a script containing this command:

Get-WmiObject -Class Win32_Product * 

and launch it from inputs.conf e.g. one time a day.

To know how to use a scripted input see at https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

Ciao.

Giuseppe

 

a_n
Path Finder

@gcusello 
Appreciate your advices.

When I try 

sourcetype=WinHostMon Type=Application

I do not have data back.
when I run 

Get-WmiObject -Class Win32_Product * 

in powershell it gets data , but nothing on install date.
Capture.JPG
I tried to modify the inputs.conf and add:

[WinHostMon://application]
type = application
interval = 60

but no data ingested.
Unfortunately I got lost with the scripting method.
Isn't it possible just to modify the inputs.conf?
Thank you again.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @a_n,

the first method I described was used until last year, but then Microsoft changed something so it isn't possible to have those data.

The only way is a powershell script like the one I described.

I'm not a powershell expert so I cannot help you in this (infact the above script was done by one of my colleagues), see in that direction because it's the right way..

Ciao.

Giuseppe

a_n
Path Finder

@gcusello 
Appreciate your support ad assistance.

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @a_n,

if you use the Splunk Windows TA on your Windows servers and enable the application discovery, you'll have the list of all installed applications, with the installation date, so you can check the newly installed ones.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...