Getting Data In

Monitoring Windows Updates from Splunk

Communicator

Hello,

Is there a way to monitor windows updates from Splunk? I have a VBScript that queries a remote machine for update history but for security reasons, our remote registry is turned off on these machines.

Is there a way to simply monitor this history on Splunk? My goal is to match up some of the file system changes that I see on my windows machines to Windows Update timing. I do not want to have to check the update consoles to see what is approved (and this doesn't tell me when they were actually applied).

Thanks for any help.

Kevin

Contributor

I know this is old but we just addressed this at work for remote networks that cannot (for a variety of reasons) utilize the windows app. The following query will work to check KB numbers on a Windows box:

sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d")| rex "\WKB(?<KB>.\d+)\W" |stats count by Date, host, KB

Posted originally here: http://gosplunk.com/verify-windows-updates-have-been-applied/

Path Finder

BUT what about remote computers? The only way I see is to copy the windowsupdate.log from each remote computer and have splunk index it.

Legend

You could put the Splunk Universal Forwarder on each remote Windows computer and have it forward the update logs. That would be beter than copying them.

Explorer

I need to change any settings on the remote machines? I installed Universal Forward on each remote Windows machine but the Windows Update logs didn't come.

0 Karma

Splunk Employee
Splunk Employee

You can use the Splunk Windows app. It works by collecting the WindowsUpdate.log file (located in the windows\system32 folder I believe) and parsing out the information that's available from there.

0 Karma

Splunk Employee
Splunk Employee

This is covered by the Windows app, out of the box. It even contains dashboards and reports to track this for you.