Pending Windows Updates
I was wondering if anyone was able to come up with a query that parsed either the event viewer or windows update log for windows updates that have been downloaded but not yet installed.
I've seen the examples of successful installs or failed installs or what has been installed but can't seem to locate where to find what "needs" to be installed.
The reason I ask is it would be nice to have a dashboard that queries all my servers and tells me I have pending windows updates to install without having to go to each individual server in turn and look at the windows update program.
-
Official comment
sorry for delay, just spotted this one. not sure if true for every version of windows, but downloaded is eventcode 17 from the update client. this event can have multiple patches that need to be installed. here's something that I think could extract downloaded win updates. it's a starting point only, just replace xxx with your source category.
_sourceCategory=xxx _sourceName=System "EventCode = 17;" WindowsUpdateClient
| parse "InsertionStrings = {\"*\"};" as insertionstrings nodrop
| parse regex field=insertionstrings "(?<winupdate>.*)\n" multi nodrop
| count _sourcehost, winupdateI could envision doing a transaction on a concat of sourcehost and winupdate to see if an event code 19 followed for each, but I think the more common use case is to just look for fail event code 20s, as exists in the Sumo Logic Windows app that you can install to borrow code.
Please sign in to leave a comment.
Comments
1 comment