The Windows Event Viewer is lousy. We can do better in Splunk, and it will be a nice test case for the new AppFx framework. Since AppFx is still in early develoment, I have intentionally done my thinking about viewing Windows events in Splunk before I learned what has been done so far on AppFx.
I trawled through questions tagged with ‘windows’ on ServerFault, looking for issues people were trying to diagnose. A few areas came up as clear, obvious areas where we can provide a lot of value very quickly:
- When were systems booted, shut down, and restarted over the history of the machine, how long did it take, and where was that time spent?
- When were applications/MSIs installed, changed, or uninstalled, and what are their detailed information (GUIDs, etc.)?
- Which Windows updates were applied when? Which were opted out of?
- What programs have bound and released TCP ports over time? What program is dead, but hasn’t released that port you need?
- What are the IPs and other information bound to various networ