Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to catch is an Application Installed

a_n
Path Finder
‎07-14-2021 12:29 AM

Hi.

I have Splunk on windows network, and collecting data using UF from clients.

I need to make a report for newly installed application on clients.

I am searching for event id 11707 and also 1033, but it seems these event are being logged only if we use Windows Installer.

For example, we installed Notepad++ on a client, and we do not have any event for that.

Can someone please advise?

Thank you.

Labels (2)
Labels
0 Karma
Reply

a_n
Path Finder
‎07-15-2021 12:47 AM

Hello @gcusello ,

Thank you, I have Windows TA but in the config I have [WinEventLog://Application], would you please advise about Discovery? and how to enable/use it?
Or a reference please?

Appreciate your advise.

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-15-2021 01:09 AM

Hi @a_n,

see in in your logs you have

 the following data:

index=windows sourcetype=WinHostMon Type=Application

If yes, you can run a simple search like this:

index=windows sourcetype=WinHostMon Type=Application
| eval host=upper(host)
| dedup Name 
| sort Name 
| eval InstallDate=strftime(strptime(InstallDate,"%Y%m%d"),"%d/%m/%Y")
| table Name Vendor Version SerialNumber InstallDate InstallLocation

If you haven't those data, you have to add to your TA-Windows a script containing this command:

Get-WmiObject -Class Win32_Product *

and launch it from inputs.conf e.g. one time a day.

To know how to use a scripted input see at https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ScriptSetup

Ciao.

Giuseppe

 

Reply

a_n
Path Finder
‎07-15-2021 02:18 AM

@gcusello 
Appreciate your advices.

When I try 

sourcetype=WinHostMon Type=Application

I do not have data back.
when I run 

Get-WmiObject -Class Win32_Product *

in powershell it gets data , but nothing on install date.
Capture.JPG
I tried to modify the inputs.conf and add:

[WinHostMon://application]
type = application
interval = 60

but no data ingested.
Unfortunately I got lost with the scripting method.
Isn't it possible just to modify the inputs.conf?
Thank you again.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-15-2021 02:23 AM

Hi @a_n,

the first method I described was used until last year, but then Microsoft changed something so it isn't possible to have those data.

The only way is a powershell script like the one I described.

I'm not a powershell expert so I cannot help you in this (infact the above script was done by one of my colleagues), see in that direction because it's the right way..

Ciao.

Giuseppe

Reply

a_n
Path Finder
‎07-15-2021 02:25 AM

@gcusello 
Appreciate your support ad assistance.

Thank you

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-14-2021 02:34 AM

Hi @a_n,

if you use the Splunk Windows TA on your Windows servers and enable the application discovery, you'll have the list of all installed applications, with the installation date, so you can check the newly installed ones.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...