Getting Data In
Highlighted

Monitoring Windows Updates from Splunk

Communicator

Hello,

Is there a way to monitor windows updates from Splunk? I have a VBScript that queries a remote machine for update history but for security reasons, our remote registry is turned off on these machines.

Is there a way to simply monitor this history on Splunk? My goal is to match up some of the file system changes that I see on my windows machines to Windows Update timing. I do not want to have to check the update consoles to see what is approved (and this doesn't tell me when they were actually applied).

Thanks for any help.

Kevin

Highlighted

Re: Monitoring Windows Updates from Splunk

Splunk Employee
Splunk Employee

This is covered by the Windows app, out of the box. It even contains dashboards and reports to track this for you.

Highlighted

Re: Monitoring Windows Updates from Splunk

Splunk Employee
Splunk Employee

You can use the Splunk Windows app. It works by collecting the WindowsUpdate.log file (located in the windows\system32 folder I believe) and parsing out the information that's available from there.

0 Karma
Highlighted

Re: Monitoring Windows Updates from Splunk

Path Finder

BUT what about remote computers? The only way I see is to copy the windowsupdate.log from each remote computer and have splunk index it.

Highlighted

Re: Monitoring Windows Updates from Splunk

Legend

You could put the Splunk Universal Forwarder on each remote Windows computer and have it forward the update logs. That would be beter than copying them.

Highlighted

Re: Monitoring Windows Updates from Splunk

Explorer

I need to change any settings on the remote machines? I installed Universal Forward on each remote Windows machine but the Windows Update logs didn't come.

0 Karma
Highlighted

Re: Monitoring Windows Updates from Splunk

Contributor

I know this is old but we just addressed this at work for remote networks that cannot (for a variety of reasons) utilize the windows app. The following query will work to check KB numbers on a Windows box:

sourcetype=WinEventLog:System EventCode=19 | eval Date=strftime(_time, "%Y/%m/%d")| rex "\WKB(?<KB>.\d+)\W" |stats count by Date, host, KB

Posted originally here: http://gosplunk.com/verify-windows-updates-have-been-applied/