Overview

This section will walk you through the process of Patch installation configurations with more controlled options to Schedule, Approve, Reboot and Enable Maintenance on the devices. You can also have the entire Patch activity from Scan to Install, automate using the Out of the Box Automation feature called Process Definition, which reduces the human intervention completely to perform any Patch related tasks.

To know more about available automation utilities for Patch related tasks, see Patch Automation. To know more about remediation and automation capability, see Remediation Automation.

Configure the Patch Management at Client Level

To deploy Patch Installation Configurations at Client level, follow the below steps:

  1. Login to OpsRamp Portal.
  2. Select a client from the All Clients list.
  3. Go to Configuration Management > Patch Management 2.0.
  4. On the left side of this page, click the Menu bar icon and then Configuration.
  5. Click + ADD to create a new patch configuration.

The Configuration deployment involves the below 3 steps:

  • Resource Selection
  • Patch Selection
  • Schedule

Resource Selection

On this page, we will choose resources at client level based on the requirements.

  1. In the Configuration Name field, give the configuration a name.

  2. Choose resources from the list. There are two options for doing so.

    • Dynamic: Choose resources by adding an OpsQL query; if any resources match the query, they will be included in the configurations automatically. This will automate the process and reduce the need for user intervention whenever there are new devices onboarded and required to add new devices to the existing installation configurations.
      patch management
    • Select Resources: This is a manual process for searching and selecting resources by defining Resource attributes in a simple search query. The selected resources list would not be updated with newly onboarded devices if the installation schedule is saved with this option. Users must manually update the list for any onboarding or decommission of the devices on the platform.
  3. To proceed to the patch selection page, click Next.

Patch Selection

Follow the below steps to select the patches by using GO BY PATCHES option:

patch management

  1. In the Patch Selection page, select the patches to be configured by using any of the options.

    • Approved Patches: You will find the total number of approved patches, and if you want to see the complete list of patches with details, click the View Patches link.
    • Dynamic Patches: You can have the Patches selected for the installation Dynamically using the filter criteria. With the next Missing Patch Scan job execution, if there are new patches found as per the filter criteria, those patches would be automatically included for installation under the respective configuration.
    • Select Patches: You can select the patched manually from the list or using the Filter criteria and then click Apply.
      patch management
  2. Once the patch selection process is finished, click Next to proceed to the schedule page.

Schedule

After selecting the resource and patches, you must now define a schedule to run the scan at the desired time.

  1. On the Schedule section, you could specify when this patch activity should be performed:
    • Run On Demand: Select this option, if you want to apply the patch updates right away.
    • One Time: Select this option, if you want to apply the patch updates once a time.
    • Daily: Select this option, if you want to apply the patch updates on daily. You can configure this option by choosing: Every Weekday (Mon-Friday) or Everydays.
    • Weekly: Select this option, if you want to apply the patch updates on weekly wise. Configure weekly schedule by selecting: Time preference, Starting date, and Days.
    • Monthly: Select this option if you only want to apply patch updates on a monthly basis. Configure this by selecting: Time preference, Starting date, and number of days in a month.
    • Yearly: Select this option, if you want to apply the patch updates yearly once. Choose the option which are the months this should happen.
    • Patch Tuesday: Select this option, if you want to apply the patch updates only on Tuesday of every month.
  2. Resource Time Zone: You can select a specific time zone to patch all the resources in the patch configuration. When you select a time zone, it ignores the different local time zones of resources and instead uses the time zone specified in the patch configuration.
  1. Reboot After Install: Select the option Yes/No if you want to reboot the system after patch installation. If you choose Yes, you will be given the option to Force Reboot.
    • Force Reboot: If users want to reboot each server that is part of the Patch Installation job after the patch is installed, select the Force Reboot option .
  2. Approval Type: Select type of approval of patches whether it will be Manual or Automatic. If you select Automatic type approval; all whitelisted security and critical patches are approved automatically on the selected devices.
  3. Maintenance Period: This setting creates a maintenance window for all of the selected devices, using the given schedule and duration. To know more about scheduling maintenance period on the resources for other related use cases, see Scheduling Maintenance Period.
  4. Choose the deployed and enabled Patch Automation Process Definition from the drop-down list (if any).
  5. In the Notifications section, select the users who want to be notified about the Patch Installation status. All the platform Users would be listed under “Notify Users”. If the Installation status notifications are required to be sent to any external email address without having an account on the platform, enter the external email address under “CC Users” and hit enter.
  6. Precedence: Resources allocation will be done based on the precedence order for dynamic query based configurations. Least value will get high precedence for resource allocation.
patch management
  1. Click Save after you configured the scheduled page.

Configure the Patch Management at Partner Level

To deploy Patch Installation Configurations at Partner Level, follow the below steps:

  1. Login to OpsRamp Portal.
  2. Select All Clients.
  3. Go to Configuration Management > Patch Management 2.0.
  4. On the left side of this page, click the Menu bar icon and then Configuration.
  5. Click + ADD to create a new patch configuration.

The Configuration deployment involves the below 3 steps:

  • Resource Selection
  • Patch Selection
  • Schedule

Resource Selection

On this page, we will choose resources at Partner level based on the requirements.

  1. To select a client, choose from All Clients or Select Clients.
  2. In the Configuration Name field, give the configuration a name.
  3. Find the resources from the list using the + QUERY button.
    Choose resources by adding an OpsQL query; if any resources match the query, they will be included in the configurations automatically. This will automate the process and reduce the need for user intervention whenever there are new devices onboarded and required to add new devices to the existing installation configurations.
    patch management
  4. To proceed to the patch selection page, click Next.

The following table summarizes the difference between Client Level and Partner Level functionality.

FunctionalityClient LevelPartner Level
Resource Selection
Client Selection
Dynamic Resources

Static Resources

Patch Selection
Approved Patches
Dynamic Patches

Select Patches

Schedule
Schedule Type
Reboot after Install

Force Reboot

Approval Type

Maintenance Period

Assign Process

Notifications

Patch Configuration with Process Automation

  1. Do the resource selection, refer the section Resource Selection
  2. After resource selection, click Next.
  3. From the Patch Selection page, click GO BY PROCESSES.
  4. Select any process from the list to add to the configuration.
    If there are no processes available in the list, please refer to the Patch Automation document to create a new process.
  5. Click Next.
patch management

Once the patch selection is completed, refer the section Scheduling to schedule the configuration.

Patch Configuration with Baseline

  1. Do the resource selection, refer the section Resource Selection
  2. After resource selection, click Next.
  3. From the Patch Selection page, click GO BY BASELINE.
  4. Select a baseline from the list to add to the configuration.
    If there are no baseline available in the list, please refer to the Patch Baseline document to create a new baseline.
  5. Click Next.
patch management

Once the patch selection is completed, refer the section Scheduling to schedule the configuration.

View the Patch Configuration Page

View the list of configured jobs under Patch Management 2.0 > Configuration.

patch management

The following table describes the various attributes and actions displayed on the Patch Scan Schedule page:

AttributesDescription
NameName of the patch configuration.
ScheduleThe start date, time, and the selected scheduled configurations.
ResourcesThe number of resources chosen when scheduling a scan job.
PrecedenceThe number of resources chosen to prioritize for scheduling a scan job.
Search buttonUse the search field to find jobs.
EditUse the edit option to change the current job setup.
Run NowThis option allows you to run the job.
RemoveUse this option to remove tasks from the list if they are not relevant.
RecomputeWhen a dynamic query patch configuration is removed or the query is no longer valid, or resources are qualified for another patch configuration with a higher precedence order, recompute will take place.
It is applicable for only Dynamic patch configurations.

To see the configuration of the created schedule scan such as: Properties, Resources, Patches, logs, and Installation Status, click on the configured jobs listed here.

Properties: Find the basic user information and the date the patch was configured.

patch management

Logs: See the logs details of each run.

patch management

Installation Progress: Check the installation status of each resource.

patch management

Next Run: Users will be able to easily check the Time Zone, Next Scheduled Run Time, and Last Run Time for a particular scheduled job.

patch management

WidgetDescription
PropertiesCreated ByUser who created this patch configuration
Updated ByUser who updated this patch configuration at last
Created TimeTime when this Configuration was created
Last Updated TimeTime when this Configuration was Last Updated
Operating SystemOperating system of the selected Resources
Reboot After InstallDevice Reboot options selected after the Patch installation
Approval TypeType of Approval defined for the Patch Installation
Maintenance PeriodThe Scheduled Maintenance period defined to ignore the Monitoring alerts generated during Patch Installation
UUIDThe unique ID generated for each Patch Configuration. These UUIDs can be used with OpsQL for any required use cases
ResourcesSelected Resources for the Patch Installation Configuration
PatchesSelected Patches for the Installation on the selected Devices
LogsActivity Logs of the Patch Configurations
Installation StatusSee live status of a resource patch installation, including whether it has started, completed, failed, etc.

Recompute

What is Recompute?

Recompute all the patch configurations based on priority, which means that all policies that will be matched with other policies must be assigned to the highest priority policy. It will perform the following tasks:

  • Recompute will take care of schedule maintenance.
  • Auto Approval
  • Auto Trigger
  • It will identify new resources (addition/removal) and assign new changes to policies that have a high prior approval rating.

When Recomputation is triggered?

  • In rule-based configurations, resources should be re-allocated based on the precedence value.
  • A lower precedence value indicates a higher priority.
  • Triggers should be recreated in each of the rule-based configurations based on the allocated resources.
  • Maintenance windows should be recreated/updated in each rule-based configuration based on the allocated resources.
  • Auto-approval should be performed in accordance with the allocated resources in each rule-based configuration.
  • Client-level configurations should be prioritized over partner-level configurations.
  • Recomputation should have no effect on configurations that use static resources.

When new resources are onboarded?

  • When the Recomputation is triggered, the newly onboarded resources should be assigned to configurations with higher priority.
  • Triggers and maintenance should be created for the new resources in accordance with the configurations to which they are assigned.
  • Auto Approval and Reboot should function as expected.

When resources are deleted?

  • The triggers and maintenance windows associated with the deleted resources should be deleted/unassigned.

How to Recompute?

  1. Go to Patch Management 2.0 > Configuration.
  2. Click Recompute on the right side of the configuration page.
    patch management
  3. When you click the Recompute button, a warning message should appear.
    If you want to Recompute, click Yes.
    You can see the ongoing status of the recompute process.
    patch management
    Credential Mapping
  4. Once Recompute is complete, you should see the following recomputation details in the Logs page:
    • Triggered by
    • Resources assigned/unassigned to Config_Names
    • Timestamps

Notifications

Users added in the configuration job will get the following email notifications:

  • Patch Install Details Notification: Users who have been added to the configuration job will receive this email notification, after 2 hrs of job triggered.
    patch management
  • Patch Configuration Created: Only Partner users will get this email notification.
    patch management