Looking at a problem where Windows Update logs are no longer stored in the traditional location or format on Server 2016 & Windows 10. They are stored in a different path and are .etl formatted so the standard Windows TA can't read them. A Powershell script has to be run to manually convert the .etl logs into the standard WindowsUpdate.log format. The Powershell command that has to be run is:
Get-WindowsUpdateLog -LogPath [path]
My question is if anyone has solve this problem using the standard Splunk Windows TA that will read the .elt format directly without having to set up scheduled jobs on every server / host running the newer log format in order to export the .etl to .log format so the TA can read them?
Windows DNS Analytical and Diagnostic Logs is a very simple app that runs the powershell command to read the ETL file, I've managed to get it running however our local Windows expert couldn't find any nice way to get access to the ETL log excluding powershell commands/windows event viewer (event viewer under certain circumstances).
I deployed the app "Windows DNS Analytical and Diagnostic Logs" on the DNS server , where the DNS Analytical logs are enabled and also see the log file grow with events, but however the logs are not being forwarded by the Universal Forwarder running on the DNS server.
Anything different, that's required for the setup ?
While I was using it 2 years ago, I'm unsure today! We found Splunk stream easier for most use cases...
It seems inevitable that a local process/script would have to convert the binary logs to a text format. I'm assuming that a Splunk forwarder is installed on the Windows servers? The forwarder is simply reading the .log files like any other text files. How about using a scripted input?
Here are some links:
Linux Splunk environment... should have added that in the original note. That caveat article makes it very clear that WMI should only be used for occasional collection and not viable for enterprise wide collection. So, given that note any mature enterprise moving towards Windows 10 and Server 2016 need a stable Splunk solution for pulling Windows Update logs.
Have I mentioned that without a Splunk solution to this problem both Enterprise Security and the Windows Infrastructure app won't be able to provide any results on those two OS's?
Danger Will Robinson, Danger...