Solved: How do I get to know the status of Windows Updates...

kkossery · ‎02-12-2014

Hi Experts,

I'm trying to setup the Windows Forwarder on different servers to forward the status of Windows Updates to the Splunk Server. I may have missed the document on how to do this. Can you help?

somesoni2 · ‎02-12-2014

Use this to monitor windows update log file (inputs.conf entry)

[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog

This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.

View solution in original post

somesoni2 · ‎02-12-2014

Use this to monitor windows update log file (inputs.conf entry)

[monitor://$WINDIR\WindowsUpdate.log]
disabled = 0
sourcetype = WindowsUpdateLog

This is available as part of Splunk TA for windows app in splunk-base. You might want to look at that as well.

idab · ‎08-25-2015

Hey guys !

So , I was wondering if I could get help here.Basically have the search I modified to check if windows updates were installed successfully(GOOD) or a FAIL. So, when i modified the search I found online .It says the updates were installed as a fail.But checking on the WSUS its says the updates installation was successful.So, i wondering if maybe there is something wrong with my search criteria / conditional clause. Looking forward to a feedback. 🙂

here is my search :
sourcetype=WinEventLog:System EventCode=19 tag=update | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?.\d+)\W" | eval successRatio = if (status==installed, "GOOD" , "FAILED") | stats count by Date , host, package_title, KB , body , successRatio| sort host

kkossery · ‎02-12-2014

Thanks a lot!

How do I get to know the status of Windows Updates from different Windows servers

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life