Pending Windows Updates



  • Official comment
    Matt Sullivan

    sorry for delay, just spotted this one. not sure if true for every version of windows, but downloaded is eventcode 17 from the update client. this event can have multiple patches that need to be installed. here's something that I think could extract downloaded win updates. it's a starting point only, just replace xxx with your source category.

    _sourceCategory=xxx _sourceName=System "EventCode = 17;" WindowsUpdateClient
    | parse "InsertionStrings = {\"*\"};" as insertionstrings nodrop
    | parse regex field=insertionstrings "(?<winupdate>.*)\n" multi nodrop
    | count _sourcehost, winupdate

    I could envision doing a transaction on a concat of sourcehost and winupdate to see if an event code 19 followed for each, but I think the more common use case is to just look for fail event code 20s, as exists in the Sumo Logic Windows app that you can install to borrow code.

  • Avatar
    Verena Brügger

    Did it work for you Dave?
    Because I have the same issue...

  • Avatar
    Verena Brügger

    ... And Matt which Window version are you using?

  • Avatar
    Dave Hampel

    I actually ended up modifying the windows script WUA_SearchDownloadInstall that is built in to all versions of windows so it would give me the output from a Windows Update call and then used that script's output and parsed it to SUMO.

    It was quite the endeavor.

    If you look in the "APP" PCI Compliance there is a dashboard 06 that does a fairly good job of parsing the data from windows but the issue is with producing output from all windows versions. I believe windows 2016 does not have event entries for all I was looking for.

Please sign in to leave a comment.