Getting Data In

Monitoring Windows Updates from Splunk

kholleran
Communicator

Hello,

Is there a way to monitor windows updates from Splunk? I have a VBScript that queries a remote machine for update history but for security reasons, our remote registry is turned off on these machines.

Is there a way to simply monitor this history on Splunk? My goal is to match up some of the file system changes that I see on my windows machines to Windows Update timing. I do not want to have to check the update consoles to see what is approved (and this doesn't tell me when they were actually applied).

Thanks for any help.

Kevin

hagjos43
Contributor

I know this is old but we just addressed this at work for remote networks that cannot (for a variety of reasons) utilize the windows app. The following query will work to check KB numbers on a Windows box:

sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d")| rex "\WKB(?<KB>.\d+)\W" |stats count by Date, host, KB

Posted originally here: http://gosplunk.com/verify-windows-updates-have-been-applied/

MBerikcurtis
Path Finder

BUT what about remote computers? The only way I see is to copy the windowsupdate.log from each remote computer and have splunk index it.

lguinn2
Legend

You could put the Splunk Universal Forwarder on each remote Windows computer and have it forward the update logs. That would be beter than copying them.

tiagomiranda
Explorer

I need to change any settings on the remote machines? I installed Universal Forward on each remote Windows machine but the Windows Update logs didn't come.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can use the Splunk Windows app. It works by collecting the WindowsUpdate.log file (located in the windows\system32 folder I believe) and parsing out the information that's available from there.

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

This is covered by the Windows app, out of the box. It even contains dashboards and reports to track this for you.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...