Microsoft Windows Update
Windows Update is a Windows system service that manages the updates for the Windows operating system. Updates and patches are scheduled to be released through Windows Update on every second Tuesday of the month.
Windows Update logs are accessible in two ways depending on the version of your operating system:
-
Via Event Tracing for Windows (ETW), for Windows 10, Windows Server 2016 and Windows Server 2019.
-
Via the file system, in the earlier versions of Windows.
Log collection via Event Tracing for Windows
The im_etw module of NXLog allows collecting Windows Update logs from Windows 10, Windows Server 2016 and Windows Server 2019.
The following configuration collects Windows Update logs using the im_etw module. The collected logs are then converted to JSON using the xm_json extension module.
<Extension _json>
Module xm_json
</Extension>
<Input in_etw>
Module im_etw
Provider Microsoft-Windows-WindowsUpdateClient
Exec to_json();
</Input>
{
"SourceName": "Microsoft-Windows-WindowsUpdateClient",
"ProviderGuid": "{945A8954-C147-4ACD-923F-40C45405A658}",
"EventID": 38,
"Version": 0,
"Channel": 16,
"OpcodeValue": 17,
"TaskValue": 1,
"Keywords": "4611686018427388544",
"EventTime": "2019-06-06T15:08:01.098200+02:00",
"ExecutionProcessID": 820,
"ExecutionThreadID": 2440,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-5-18",
"AccountType": "User",
"EventReceivedTime": "2019-06-06T15:08:01.847001+02:00",
"SourceModuleName": "in_etw",
"SourceModuleType": "im_etw"
}
File-based log collection
Prior to the release of Windows Server 2016 and Windows 10, all Windows Update logs were stored in the WindowsUpdate.log
file under the %SystemRoot%
directory.
Although this log file is deprecated, it can still be generated as described in the Generating WindowsUpdate.log Microsoft article. |
The following configuration collects and parses logs using the im_file module. The parser section is based on the description of the Windows Update log files section of the Microsoft documentation.
<Extension _json>
Module xm_json
</Extension>
define windowsupdate /(?x)(?<Date>([\d\-]+))\s+ \
(?<Time>([\d\:]+))\s+ \
(?<PID>\d{3,5})\s+ \
(?<TID>([\d\w]+))\s+ \
(?<Category>(\w+))\s+ \
(?<Message>(.*)) /
<Input windowsupdate>
Module im_file
File 'C:\Windows\WindowsUpdate.log'
<Exec>
$raw_event =~ %windowsupdate%;
$EventTime = ($Date + ' ' + $Time);
to_json();
</Exec>
</Input>
2019-06-06 18:22:14:390 1012 1080 DnldMgr PurgeContentForPatchUpdates removing unused directory "b7c04a03c3650087ddea456a018dba62"
{
"EventReceivedTime": "2019-06-06T18:22:14.843037+02:00",
"SourceModuleName": "windowsupdate",
"SourceModuleType": "im_file",
"Category": "DnldMgr",
"Date": "2019-06-06",
"Message": "PurgeContentForPatchUpdates removing unused directory \"b7c04a03c3650087ddea456a018dba62\"",
"PID": "1012",
"TID": "1080",
"Time": "18:22:14:390",
"EventTime": "2019-06-06 18:22:14:390"
}