Pending Windows Updates
I was wondering if anyone was able to come up with a query that parsed either the event viewer or windows update log for windows updates that have been downloaded but not yet installed.
I've seen the examples of successful installs or failed installs or what has been installed but can't seem to locate where to find what "needs" to be installed.
The reason I ask is it would be nice to have a dashboard that queries all my servers and tells me I have pending windows updates to install without having to go to each individual server in turn and look at the windows update program.
-
Official comment
sorry for delay, just spotted this one. not sure if true for every version of windows, but downloaded is eventcode 17 from the update client. this event can have multiple patches that need to be installed. here's something that I think could extract downloaded win updates. it's a starting point only, just replace xxx with your source category.
_sourceCategory=xxx _sourceName=System "EventCode = 17;" WindowsUpdateClient
| parse "InsertionStrings = {\"*\"};" as insertionstrings nodrop
| parse regex field=insertionstrings "(?<winupdate>.*)\n" multi nodrop
| count _sourcehost, winupdateI could envision doing a transaction on a concat of sourcehost and winupdate to see if an event code 19 followed for each, but I think the more common use case is to just look for fail event code 20s, as exists in the Sumo Logic Windows app that you can install to borrow code.
Comment actions -
I actually ended up modifying the windows script WUA_SearchDownloadInstall that is built in to all versions of windows so it would give me the output from a Windows Update call and then used that script's output and parsed it to SUMO.
It was quite the endeavor.
If you look in the "APP" PCI Compliance there is a dashboard 06 that does a fairly good job of parsing the data from windows but the issue is with producing output from all windows versions. I believe windows 2016 does not have event entries for all I was looking for.
Please sign in to leave a comment.
Comments
4 comments