All Apps and Add-ons

Windows 10 / Server 2016 .etl Windows Update Log Format

david_casey
Path Finder

Looking at a problem where Windows Update logs are no longer stored in the traditional location or format on Server 2016 & Windows 10. They are stored in a different path and are .etl formatted so the standard Windows TA can't read them. A Powershell script has to be run to manually convert the .etl logs into the standard WindowsUpdate.log format. The Powershell command that has to be run is:

Get-WindowsUpdateLog -LogPath [path]

My question is if anyone has solve this problem using the standard Splunk Windows TA that will read the .elt format directly without having to set up scheduled jobs on every server / host running the newer log format in order to export the .etl to .log format so the TA can read them?

gjanders
SplunkTrust
SplunkTrust

Windows DNS Analytical and Diagnostic Logs is a very simple app that runs the powershell command to read the ETL file, I've managed to get it running however our local Windows expert couldn't find any nice way to get access to the ETL log excluding powershell commands/windows event viewer (event viewer under certain circumstances).

0 Karma

nmohammed
Contributor

Hi @gjanders

I deployed the app "Windows DNS Analytical and Diagnostic Logs" on the DNS server , where the DNS Analytical logs are enabled and also see the log file grow with events, but however the logs are not being forwarded by the Universal Forwarder running on the DNS server.

Anything different, that's required for the setup ?

Thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust

While I was using it 2 years ago, I'm unsure today! We found Splunk stream easier for most use cases...

0 Karma

nmohammed
Contributor

Thanks. does Splunk Stream pull DNS analytics log data ? if so, how can it be done ? do we need to install the Splunk stream on all the DNS servers?

0 Karma

adigrio
Path Finder

It seems inevitable that a local process/script would have to convert the binary logs to a text format. I'm assuming that a Splunk forwarder is installed on the Windows servers? The forwarder is simply reading the .log files like any other text files. How about using a scripted input?

Here are some links:

Scripted Inputs Overview
PowerShell scripted input

0 Karma

adigrio
Path Finder

Did you try collecting the remote events through WMI? There are some caveats on using WMI but for the odd server it may be viable.

0 Karma

david_casey
Path Finder

Linux Splunk environment... should have added that in the original note. That caveat article makes it very clear that WMI should only be used for occasional collection and not viable for enterprise wide collection. So, given that note any mature enterprise moving towards Windows 10 and Server 2016 need a stable Splunk solution for pulling Windows Update logs.

Have I mentioned that without a Splunk solution to this problem both Enterprise Security and the Windows Infrastructure app won't be able to provide any results on those two OS's?

Danger Will Robinson, Danger...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...