question

AlexanderWagner-6401 avatar image
0 Votes"
AlexanderWagner-6401 asked SwathiDhanwada-MSFT edited

Monitor/alert after automatic updates

Hello,

we have some azure VMs, which receive automatic OS updates. These are monitored via simple alert rules like:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobStreams" and StreamType_s == "Error"
| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g

or

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and (ResultType == "Failed" or ResultType == "Stopped" or ResultType == "Suspended") and datetime_diff('day',now(),TimeGenerated) <= 1

Now we also want to monitor succesful automatic updates. If possible with some additional informations (like how many updates have been installed).

A query like

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType == "Completed"

only gives me the information, when the job completed.

UpdateRunProgress
| where SubscriptionId == "xxx" and InstallationStatus == 'Succeeded'

gives me good information but also gave me different information for the last succesful run on sunday (there were 3 updates installed, but I get 5 sucessful results with the query).

Is there a better way to get an alert for the update runs?

azure-monitorazure-automation
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT edited

@AlexanderWagner-6401 Welcome to Microsoft Q & A Community Forum. Update Management collects records for Windows and Linux VMs and the data types that appear in log search results. You can get information of the updates from logs stored in the different tables. Below are the tables where Update Management stores the data.

  • RequiredUpdate: Table has information of which updates required by a machine.

  • Update : represents updates available and their installation status for a machine.

  • UpdateAgent : provides details of the update agent on the machine.

  • UpdateRunProgress : provides update deployment status of a scheduled deployment by machine

  • **UpdateSummary :**provides update summary by machine.

You can query these tables to get the required information and set up a log alert query on the same. For example to get the missing update list of the machines, you can use below query.

 Update
 | where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and VMUUID=~"8bf1ccc6-b6d3-4a0b-a643-23f346dfdf82"
 | summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID
 | where UpdateState=~"Needed" and Approved!=false
 | project-away UpdateState, Approved, TimeGenerated
 | summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(UpdateID, "_", KBID), classification=Classification, InformationId=strcat("KB", KBID), InformationUrl=iff(isnotempty(KBID), strcat("https://support.microsoft.com/kb/", KBID), ""), osType=2
 | sort by ClassificationWeight desc, computersCount desc, displayName asc
 | extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject('')))
 | project-away ClassificationWeight, InformationId, InformationUrl

For more information on Update Management Tables and sample queries, do check this document. and to create a log alert check this document.


· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexanderWagner-6401 avatar image AlexanderWagner-6401 ·

Hi @SwathiDhanwada-MSFT,

thank you very much for you answer. I found this script as well in the documentation about update management. This is however not what I'm trying to achieve (also the machines are linux machines, which I didn't mention before).

I'm not trying to see if there are any updates missing on the machines. The thing that I would like to work is an alert after the Linux Machines got patched automatically, sending an e-mail with the info "x amount of updates have succesfully been installed on the machine".

The closest i got was something like:

UpdateRunProgress
| where SubscriptionId == "xxx" and InstallationStatus == 'Succeeded' | summarize count()

which yields result that differ from the number in the GUI, so I think its the wrong approach. Do you have another idea?



0 Votes 0 ·
SwathiDhanwada-MSFT avatar image SwathiDhanwada-MSFT AlexanderWagner-6401 ·

@AlexanderWagner-6401 Categorization is done for Linux updates as Security or Others based on the OVAL files, which includes updates addressing security issues or vulnerabilities. But when the update schedule is run, it executes on the Linux machine using the appropriate package manager like YUM, APT, or ZYPPER to install them. The package manager for the Linux distro may have a different mechanism to classify updates, where the results may differ from the ones obtained from OVAL files by Update Management.

This doesn't affect the deployment of updates. As a different logic is used in security update assessments, query might differ from the security updates applied during deployment. For more information about this, you can refer this document.

Same information has been notified within the portal as shown in below image.

188748-image.png

As far as I know, the only is to use UpdateRunProgress or Update Table to retrieve the installation status of the updates as you mentioned.

FYI : Update Management v2 is in private preview. For more information, do check out this document.


0 Votes 0 ·
image.png (16.1 KiB)