question

NigelVella-8797 avatar image
0 Votes"
NigelVella-8797 asked AnuragSingh-MSFT edited

Azure Update Management - log analytics report

I have a setup where, every week the Virtual Machines are updated using a deployment schedule.
The Deployment Schedule also includes a Post and Pre-scripts to start any VMs that are found shut-down and once updated, it puts them back to shut-down.

Everything works fine and the updates where also installed OK.

My problem is that post updates, I'm utilizing a script to export data which shows the critical and security updates for audit reports, however, VMs that are continuously running are reporting fine, whereas VMs that are shutdown after the post script, report data of when the VM is started.

This is the script I'm using:

 Update
 | join kind=fullouter (UpdateSummary) on ResourceId
 | where TimeGenerated1 >= ago(48h)
 | summarize arg_max(TimeGenerated1, CriticalUpdatesMissing, SecurityUpdatesMissing) by Computer, ResourceGroup

Below is what I'm encountering.
The update didn't last long, is there any time required for the VM's to be running, in order to fetch latest update data on the log analytics?
191851-image.png


azure-monitorazure-automation
image.png (58.6 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AnuragSingh-MSFT avatar image
0 Votes"
AnuragSingh-MSFT answered AnuragSingh-MSFT commented

Hi @NigelVella-8797,

Welcome to Microsoft Q&A! Thanks for posting the question.

I understand that you are trying to view the updated information LogAnalytics after the updates were installed on selected machines. Based on the reported behavior that - the updates are reported fine for continuously running machine AND the fact that for stopped VMs the updates are displayed based on the time when they were started, the following information and reference should help:

1. On a Windows machine, the compliance scan is run every 12 hours by default. For a Linux machine, the compliance scan is performed every hour by default.

2. If the Log Analytics agent is restarted, a compliance scan is started within 15 minutes. (A reboot/start of VM would initiate start of all the services on the VM, therefore you seem to be getting the information from after the start of VM)

refer: About Update Management

Based on this information, I would suggest adding one more logic to the Postscript to restart "Log Analytics Agent" service after the update installation and schedule shutdown after about 15 minutes. That should help get updated data sooner.

Please let me know if you have any questions.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnuragSingh-MSFT avatar image AnuragSingh-MSFT ·

@NigelVella-8797, I wanted to check if you had a chance to review my comment above. Please let me know if you have any queries or concerns.

Please 'Accept as answer' if it helped so that it can help others in the community looking for help on similar topics.

0 Votes 0 ·