This section will walk you through the process of Patch installation configurations with more controlled options to Schedule, Approve, Reboot and Enable Maintenance on the devices. You can also have the entire Patch activity from Scan to Install, automate using the Out of the Box Automation feature called Process Definition, which reduces the human intervention completely to perform any Patch related tasks.
To know more about available automation utilities for Patch related tasks, see Patch Automation. To know more about remediation and automation capability, see Remediation Automation.
Configure the Patch Management at Client Level
To deploy Patch Installation Configurations at Client level, follow the below steps:
- Login to OpsRamp Portal.
- Select a client from the All Clients list.
- Go to Configuration Management > Patch Management 2.0.
- On the left side of this page, click the Menu bar icon and then Configuration.
- Click + ADD to create a new patch configuration.
The Configuration deployment involves the below 3 steps:
- Resource Selection
- Patch Selection
- Schedule
Resource Selection
On this page, we will choose resources at client level based on the requirements.
In the Configuration Name field, give the configuration a name.
Choose resources from the list. There are two options for doing so.
- Dynamic: Choose resources by adding an OpsQL query; if any resources match the query, they will be included in the configurations automatically. This will automate the process and reduce the need for user intervention whenever there are new devices onboarded and required to add new devices to the existing installation configurations.
Resource Selection Criteria
- This unique feature is only applicable to dynamic patch configuration.
- Every eligible resource can be only assigned to a single patch configuration.
- When a new resource is on-boarded based on the given criteria, resource will be assigned to patch configuration.
- The order of assigning the resource will depend on the created date. It means, patch configuration created on an older date will be given higher priority when assigning resources.
For an example: If one patch configuration is created on10-08-2022and another is created on02-07-2022, we will give first priority to configuration created on date02-07-2022when allocating the resources. - Resources which are not part of any existing configuration will be re-computed every 4 hours and assigned to configuration based on the criteria configured and priority.
- Select Resources: This is a manual process for searching and selecting resources by defining Resource attributes in a simple search query. The selected resources list would not be updated with newly onboarded devices if the installation schedule is saved with this option. Users must manually update the list for any onboarding or decommission of the devices on the platform.
Note
The patch configuration also allows you to select Gateway resources (Windows and NextGen Linux) which have the Agent installed.
- Dynamic: Choose resources by adding an OpsQL query; if any resources match the query, they will be included in the configurations automatically. This will automate the process and reduce the need for user intervention whenever there are new devices onboarded and required to add new devices to the existing installation configurations.
To proceed to the patch selection page, click Next.
Patch Selection
In the Patch Selection page, select the patches to be configured by using any of the options.
- Approved Patches: Would show the list of Approved Patches
- Dynamic Patches: You can have the Patches selected for the installation Dynamically using the filter criteria. With the next Missing Patch Scan job execution, if there are new patches found as per the filter criteria, those patches would be automatically included for installation under the respective configuration.
- Select Patches: You can select the patched manually from the list or using the Filter criteria and then click Apply.
Once the patch selection process is finished, click Next to proceed to the schedule page.
Note
If you select multiple patches from the option Select Patches, in this case you cannot select more than 100 records at once; if you do, the message shown in the figure below will appear.
Schedule
After selecting the resource and patches, you must now define a schedule to run the scan at the desired time.
- On the Schedule section, you could specify when this patch activity should be performed:
- Run On Demand: Select this option, if you want to apply the patch updates right away.
- One Time: Select this option, if you want to apply the patch updates once a time.
- Daily: Select this option, if you want to apply the patch updates on daily. You can configure this option by choosing: Every Weekday (Mon-Friday) or Everydays.
- Weekly: Select this option, if you want to apply the patch updates on weekly wise. Configure weekly schedule by selecting: Time preference, Starting date, and Days.
- Monthly: Select this option if you only want to apply patch updates on a monthly basis. Configure this by selecting: Time preference, Starting date, and number of days in a month.
- Yearly: Select this option, if you want to apply the patch updates yearly once. Choose the option which are the months this should happen.
- Patch Tuesday: Select this option, if you want to apply the patch updates only on Tuesday of every month.
- Resource Time Zone: You can select a specific time zone to patch all the resources in the patch configuration. When you select a time zone, it ignores the different local time zones of resources and instead uses the time zone specified in the patch configuration.
- Reboot After Install: Select the option Yes/No if you want to reboot the system after patch installation. If you choose Yes, you will be given the option to Force Reboot.
- Force Reboot: If users want to reboot each server that is part of the Patch Installation job after the patch is installed, select the Force Reboot option .
- Approval Type: Select type of approval of patches whether it will be Manual or Automatic. If you select Automatic type approval; all whitelisted security and critical patches are approved automatically on the selected devices.
- Maintenance Period: This setting creates a maintenance window for all of the selected devices, using the given schedule and duration. To know more about scheduling maintenance period on the resources for other related use cases, see Scheduling Maintenance Period.
- Choose the deployed and enabled Patch Automation Process Definition from the drop-down list (if any).
- In the Notifications section, select the users who want to be notified about the Patch Installation status. All the platform Users would be listed under “Notify Users”. If the Installation status notifications are required to be sent to any external email address without having an account on the platform, enter the external email address under “CC Users” and hit enter.
- Precedence: Resources allocation will be done based on the precedence order for dynamic query based configurations. Least value will get high precedence for resource allocation.
Note
The system will automatically recompute the resources every 4 hours to assign the match criteria. Recompute jobs executed every 4 hours and it should recompute the newly added resources and removed resources information only.
- Click Save after you configured the scheduled page.
Configure the Patch Management at Partner Level
To deploy Patch Installation Configurations at Partner Level, follow the below steps:
- Login to OpsRamp Portal.
- Select All Clients.
- Go to Configuration Management > Patch Management 2.0.
- On the left side of this page, click the Menu bar icon and then Configuration.
- Click + ADD to create a new patch configuration.
The Configuration deployment involves the below 3 steps:
- Resource Selection
- Patch Selection
- Schedule
Resource Selection
On this page, we will choose resources at Partner level based on the requirements.
- To select a client, choose from All Clients or Select Clients.
- In the Configuration Name field, give the configuration a name.
- Find the resources from the list using the + QUERY button.
Choose resources by adding an OpsQL query; if any resources match the query, they will be included in the configurations automatically. This will automate the process and reduce the need for user intervention whenever there are new devices onboarded and required to add new devices to the existing installation configurations.
Note
The patch configuration also allows you to select Gateway resources (Windows and NextGen Linux) which have the Agent installed. - To proceed to the patch selection page, click Next.
Note
The next two steps for Patch Configuration at the Partner level (Patch Selection and Scheduling) are the same as the described above for Patch Configuration at the Client level. Follow the same steps to complete the configuration at Partner level.The following table summarizes the difference between Client Level and Partner Level functionality.
| Functionality | Client Level | Partner Level | |
|---|---|---|---|
| Resource Selection | |||
| Client Selection | ✗ | ✓ | |
| Dynamic Resources | ✓ | ✓ | |
| Static Resources | ✓ | ✗ | |
| Patch Selection | |||
| Approved Patches | ✓ | ✓ | |
| Dynamic Patches | ✓ | ✓ | |
| Select Patches | ✓ | ✓ | |
| Schedule | |||
| Schedule Type | ✓ | ✓ | |
| Reboot after Install | ✓ | ✓ | |
| Force Reboot | ✓ | ✓ | |
| Approval Type | ✓ | ✓ | |
| Maintenance Period | ✓ | ✗ | |
| Assign Process | ✓ | ✗ | |
| Notifications | ✓ | ✓ |
View the Patch Configuration Page
View the list of configured jobs under Patch Management 2.0 > Configuration.
The following table describes the various attributes and actions displayed on the Patch Scan Schedule page:
| Attributes | Description |
|---|---|
| Name | Name of the patch configuration. |
| Schedule | The start date, time, and the selected scheduled configurations. |
| Resources | The number of resources chosen when scheduling a scan job. |
| Precedence | The number of resources chosen to prioritize for scheduling a scan job. |
| Search button | Use the search field to find jobs. |
| Edit | Use the edit option to change the current job setup. |
| Run Now | This option allows you to run the job. |
| Remove | Use this option to remove tasks from the list if they are not relevant. |
| Recompute | When a dynamic query patch configuration is removed or the query is no longer valid, or resources are qualified for another patch configuration with a higher precedence order, recompute will take place. It is applicable for only Dynamic patch configurations. |
To see the configuration of the created schedule scan such as: Properties, Resources, Patches, logs, and Installation Status, click on the configured jobs listed here.
Properties: Find the basic user information and the date the patch was configured.
Logs: See the logs details of each run.
Installation Progress: Check the installation status of each resource.
Next Run: Users will be able to easily check the Time Zone, Next Scheduled Run Time, and Last Run Time for a particular scheduled job.
| Widget | Description | |
|---|---|---|
| Properties | Created By | User who created this patch configuration |
| Updated By | User who updated this patch configuration at last | |
| Created Time | Time when this Configuration was created | |
| Last Updated Time | Time when this Configuration was Last Updated | |
| Operating System | Operating system of the selected Resources | |
| Reboot After Install | Device Reboot options selected after the Patch installation | |
| Approval Type | Type of Approval defined for the Patch Installation | |
| Maintenance Period | The Scheduled Maintenance period defined to ignore the Monitoring alerts generated during Patch Installation | |
| UUID | The unique ID generated for each Patch Configuration. These UUIDs can be used with OpsQL for any required use cases | |
| Resources | Selected Resources for the Patch Installation Configuration | |
| Patches | Selected Patches for the Installation on the selected Devices | |
| Logs | Activity Logs of the Patch Configurations | |
| Installation Status | See live status of a resource patch installation, including whether it has started, completed, failed, etc. | |
Recompute
What is Recompute?
Recompute all the patch configurations based on priority, which means that all policies that will be matched with other policies must be assigned to the highest priority policy. It will perform the following tasks:
- Recompute will take care of schedule maintenance.
- Auto Approval
- Auto Trigger
- It will identify new resources (addition/removal) and assign new changes to policies that have a high prior approval rating.
When Recomputation is triggered?
- In rule-based configurations, resources should be re-allocated based on the precedence value.
- A lower precedence value indicates a higher priority.
- Triggers should be recreated in each of the rule-based configurations based on the allocated resources.
- Maintenance windows should be recreated/updated in each rule-based configuration based on the allocated resources.
- Auto-approval should be performed in accordance with the allocated resources in each rule-based configuration.
- Client-level configurations should be prioritized over partner-level configurations.
- Recomputation should have no effect on configurations that use static resources.
When new resources are onboarded?
- When the Recomputation is triggered, the newly onboarded resources should be assigned to configurations with higher priority.
- Triggers and maintenance should be created for the new resources in accordance with the configurations to which they are assigned.
- Auto Approval and Reboot should function as expected.
When resources are deleted?
- The triggers and maintenance windows associated with the deleted resources should be deleted/unassigned.
How to Recompute?
- Go to Patch Management 2.0 > Configuration.
- Click Recompute on the right side of the configuration page.
- When you click the Recompute button, a warning message should appear.
If you want to Recompute, click Yes.
You can see the ongoing status of the recompute process.
- Once Recompute is complete, you should see the following recomputation details in the Logs page:
- Triggered by
- Resources assigned/unassigned to Config_Names
- Timestamps
Notifications
Users added in the configuration job will get the following email notifications:
- Patch Install Details Notification: Users who have been added to the configuration job will receive this email notification, after 2 hrs of job triggered.
- Patch Configuration Created: Only Partner users will get this email notification.
