Pending Windows Updates

Follow
Avatar
Dave Hampel

I was wondering if anyone was able to come up with a query that parsed either the event viewer or windows update log for windows updates that have been downloaded but not yet installed.

I've seen the examples of successful installs or failed installs or what has been installed but can't seem to locate where to find what "needs" to be installed.

The reason I ask is it would be nice to have a dashboard that queries all my servers and tells me I have pending windows updates to install without having to go to each individual server in turn and look at the windows update program.

0

Comments

4 comments

Sort by Date Votes
  • Official comment
    Avatar
    Matt

    sorry for delay, just spotted this one. not sure if true for every version of windows, but downloaded is eventcode 17 from the update client. this event can have multiple patches that need to be installed. here's something that I think could extract downloaded win updates. it's a starting point only, just replace xxx with your source category.

    _sourceCategory=xxx _sourceName=System "EventCode = 17;" WindowsUpdateClient
    | parse "InsertionStrings = {\"*\"};" as insertionstrings nodrop
    | parse regex field=insertionstrings "(?<winupdate>.*)\n" multi nodrop
    | count _sourcehost, winupdate

    I could envision doing a transaction on a concat of sourcehost and winupdate to see if an event code 19 followed for each, but I think the more common use case is to just look for fail event code 20s, as exists in the Sumo Logic Windows app that you can install to borrow code.

    Comment actions Permalink
  • Avatar
    Verena Brügger

    Did it work for you Dave?
    Because I have the same issue...

    0
    Comment actions Permalink
  • Avatar
    Verena Brügger

    ... And Matt which Window version are you using?

    0
    Comment actions Permalink
  • Avatar
    Dave Hampel

    I actually ended up modifying the windows script WUA_SearchDownloadInstall that is built in to all versions of windows so it would give me the output from a Windows Update call and then used that script's output and parsed it to SUMO.

    It was quite the endeavor.

    If you look in the "APP" PCI Compliance there is a dashboard 06 that does a fairly good job of parsing the data from windows but the issue is with producing output from all windows versions. I believe windows 2016 does not have event entries for all I was looking for.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post