Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring Windows Updates from Splunk

kholleran
Communicator
‎02-14-2011 04:46 PM

Hello,

Is there a way to monitor windows updates from Splunk? I have a VBScript that queries a remote machine for update history but for security reasons, our remote registry is turned off on these machines.

Is there a way to simply monitor this history on Splunk? My goal is to match up some of the file system changes that I see on my windows machines to Windows Update timing. I do not want to have to check the update consoles to see what is approved (and this doesn't tell me when they were actually applied).

Thanks for any help.

Kevin

Reply

hagjos43
Contributor
‎04-20-2015 04:24 PM

I know this is old but we just addressed this at work for remote networks that cannot (for a variety of reasons) utilize the windows app. The following query will work to check KB numbers on a Windows box:

sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d")| rex "\WKB(?<KB>.\d+)\W" |stats count by Date, host, KB

Posted originally here: http://gosplunk.com/verify-windows-updates-have-been-applied/

Reply

MBerikcurtis
Path Finder
‎11-02-2011 08:43 AM

BUT what about remote computers? The only way I see is to copy the windowsupdate.log from each remote computer and have splunk index it.

Reply

lguinn2
Legend
‎11-02-2011 09:13 AM

You could put the Splunk Universal Forwarder on each remote Windows computer and have it forward the update logs. That would be beter than copying them.

Reply

tiagomiranda
Explorer
‎03-02-2016 04:12 AM

I need to change any settings on the remote machines? I installed Universal Forward on each remote Windows machine but the Windows Update logs didn't come.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-14-2011 06:34 PM

You can use the Splunk Windows app. It works by collecting the WindowsUpdate.log file (located in the windows\system32 folder I believe) and parsing out the information that's available from there.

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-14-2011 05:55 PM

This is covered by the Windows app, out of the box. It even contains dashboards and reports to track this for you.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...