Patching Status Automated Report

system 2011-03-14 20:13:54 UTC #1

(imported topic written by cstoneba)

We are moving from a MS patching solution to BigFix for Server Patching. However, with the MS product, a report would get cut automatically during/after a patching window notifiying the operator of action statuses for the effected assets.

the report below is a step in the right direction, but I’m not sure if it is possible to email it to only a specific DL that admins the assets, or the operator that queued up the action would be nice.

Does anyone have any automation in place for patching reports?

http://forum.bigfix.com/viewtopic.php?id=6754

system 2011-04-12 21:25:30 UTC #2

(imported comment written by tscott91)

This is what I want too… I want to be emailed a report after an action is taken with the status of each computer (IE: Failed, Fixed, Pending Restart, etc)…

We are starting a new patching policy and need a report automatically generated and emailed…

Ideas? I would think this would be a built in / canned report but can’t find one.

Thanks

leewei 2011-04-14 02:26:55 UTC #3

(imported comment written by Lee Wei)

You guys might have seen from other threads that engineering is aware of this as a common request.

This is a common use case that all of us would have liked to have supported by the product out of the box.

Work with me and maybe we can come up with a scheme that will work. There are a few moving parts, so not a click and run scenario.

I have created a report that will list the action status for all actions that have just ended base on a hard coded timeframe.

o Note that a policy action with no end date will get excluded.

o Right now the hard code says “7 *day”. We will want to change this later.

o It filters for only Actions that start with “MS” for Microsoft bulletin. If you want this to apply for any actions, we need to remove the statement (name of source fixlet of it starts with “MS”).

The report can be downloaded here:

http://leewei.com/bigfix/prod/forum/patch_status_completion_report.beswrpt

Use Scheduled Activities in Web Reports to schedule for this report to be emailed whenever the following condition is true. It is important to know that Scheduled Activities will decide if a report should be sent whenever Web Reports

Refreshes the Cache

. Which by default is 20 minutes. You can determine your setting by going to menu (8.x) Administration/Database Settings/Cache Settings.

Select these options in Activity Triggers:

Generate report on every refresh
Match Relevance Conditions/ Generate report when relevance is true
Condition is as follows, but change 7day to your refresh interval, such as the default of 20minute

(it > 0) of number of results of bes actions whose (exists end date of it and name of source fixlet of it starts with “MS” and now > ((end date of it as string & " " & end time_of_day of it as string & " " & local time zone as string) as time) and now - ((end date of it as string & " " & end time_of_day of it as string & " " & local time zone as string) as time) < 7*day)

Now that we see how the end date filter is hard coded, go back to the report and change the 7*day used for testing to match the Web Reports refresh interval.

Sorry that there are a few moving parts. If someone tries this and has success, please let us know.

Lee Wei

http://leewei.com/bigfix/prod/forum/patch_status_completion_report.png

system 2011-04-14 17:08:48 UTC #4

(imported comment written by cstoneba)

Nice Lee. Here are my comments though:

the Start Date and End Dates are nice, but I feel that the actual start time of the action is more important to me. Just because the Start date is now doesn’t mean that it will run now. In our environment, we have a start date but an action contstraint is set until the Maintenance Window is true. So the actual time the action begins to run may be better
No expired actions - I understand that they shouldn’t be included, but what if your action’s stop time ends before your 20min report email cycles? I could see actions being skipped because they would have a status of ‘expired’
It would be great if the email could sent to the ‘issued by’ operator
The built in filter doesn’t allow for filtering based off the operator. Can a filter be added to the actual report that gives this ability?

system 2011-04-14 17:03:38 UTC #5

(imported comment written by tscott91)

I really appreciate you tackling this… However, I’m a bit confused…

So the gist is this report will show any actions that have a “MS*” fixlet in them that have been issued within the past 7 days? You say it filters ACTIONS that start with “MS” but I’m showing actions that don’t start with “MS”, which I prefer anyways just want to clarify.

The part I’m also confused about is changing the “< 7*day” to match the refresh interval? Can you explain deeper?

Thanks!

leewei 2011-04-14 19:27:25 UTC #6

(imported comment written by Lee Wei)

cstoneba

the Start Date and End Dates are nice, but I feel that the actual start time of the action is more important to me. Just because the Start date is now doesn’t mean that it will run now. In our environment, we have a start date but an action contstraint is set until the Maintenance Window is true. So the actual time the action begins to run may be better

This is still not available in Session Relevance. http://forum.bigfix.com/viewtopic.php?id=6798

No expired actions - I understand that they shouldn’t be included, but what if your action’s stop time ends before your 20min report email cycles? could see actions being skipped because they would have a status of ‘expired’

Expired actions will be included. I meant no policy actions, which are actions without an end date/time.

It would be great if the email could sent to the ‘issued by’ operator

BigFix does not have the email address of the console operator. When we create a new user account, the username is actually used for the purpose of creating the digital certificate.

One way that this might work is if the username of the console operator is the same as their email address. Then we can possibly post pend the email domain behind the user name.

The built in filter doesn’t allow for filtering based off the operator. Can a filter be added to the actual report that gives this ability?

I have excluded any type of filtering because it will prevent the report from being scheduled and email automatically.

leewei 2011-04-14 19:38:22 UTC #7

(imported comment written by Lee Wei)

tscott

Not issued within the last 7 days, rather the End Date is within the last 7 days.

There is a filter statement in there (name of source fixlet of it starts with “MS”), so yes, it should be for Fixlets with names starting with MS.

Note that when we can an action, you can change the name of the Action, but I am filtering base on the name of the “source Fixlet”.

The part I’m also confused about is changing the “< 7*day” to match the refresh interval? Can you explain deeper?

This report is all about Scheduled Activities, which is the ability to automatically export, email, or custom action an existing report.

Web Reports determine when a scheduled report should be executed at every refresh cache intervals. This is when Web Reports go to the database to pull out all the new changes. By default, this happens every 20 minutes.

So every refresh cache intervals, we have an opportunity to decide if this report should be emailed. The filter will ensure that only actions ended within this internal are being reported.

This is confusing, please do ask again!

system 2011-04-14 19:41:52 UTC #8

(imported comment written by tscott91)

So what were you saying about changing the <7day to match? We should change it to < 20minutes ?

leewei 2011-04-14 19:47:25 UTC #9

(imported comment written by Lee Wei)

You should change it to the Refresh Cache interval of your Web Reports server.

For version 8.x, this is in the menu Administration/Database Settings/Cache Settings.

system 2011-04-14 22:13:42 UTC #10

(imported comment written by tscott91)

So if it was 1200 seconds what syntax do I use? “<1200*seconds” ?

—OFF TOPIC—

I am currently running 8.0.627… Is there any significant changes, other than the IBM Branding, to go 8.1.551.0?

Thanks!

leewei 2011-04-15 00:11:21 UTC #11

(imported comment written by Lee Wei)

No plurals in the time intervals, so “1200second", "7day”, “60*minute”.

Here is the link of the changes from 8.0 to 8.1.

http://support.bigfix.com/bes/changes/changes-81.html

This link provides a more detailed listing.

Note the section on Web Reports.

http://support.bigfix.com/bes/changes/fullchangelist-81.txt

system 2011-04-15 16:29:36 UTC #12

(imported comment written by tscott91)

I tried this last night and didn’t get emailed… Here is what I did…

Downloaded your report and changed the 7day to 1200second and then imported it.
Added report to scheduled with a start time and no expire time. Changed the trigger to generate on every refresh. Checked the match relevance box and copied / pasted your relevance changing the 7day to 1200second.
Created an action to execute this morning at 4:00AM with a few MS fixlets…

I never received an email…

Let me know what you’d like me to do .

Thanks!

leewei 2011-04-15 17:40:02 UTC #13

(imported comment written by Lee Wei)

tscott

Added report to scheduled with a start time and no expire time. Changed the trigger to generate on every refresh. Checked the match relevance box and copied / pasted your relevance changing the 7day to 1200second.

The intent of this use case is to send out an email on the statuses of actions after it expired/ended, so it will not work if you did not specify the end date/time.

system 2011-04-15 17:42:43 UTC #14

(imported comment written by tscott91)

So it won’t email me until AFTER the action expires? I did specify an end date “4/16/2011 4:27:50 PM”…

leewei 2011-04-15 17:52:42 UTC #15

(imported comment written by Lee Wei)

Oh, I thought that was the criteria - to send a report after the action expires. As it is right now, we won’t get the email until the end date.

We can change the criteria and filter, but we have to come up with a workable scenario.

For example, we can send a report everyday, but over what actions?

I went back and read your original post, and you did say “after an action is taken”, which I took it to mean" after an action has ended", sorry.

system 2011-04-15 17:58:49 UTC #16

(imported comment written by tscott91)

Don’t be sorry! You’re help and reports are GREATLY appreciated…

I see the hairiness of the situation and I honestly can’t think of a great answer to your question…

Basically, I’m interested in a report that gives me the status of each PC of the action but I want that report pretty much first thing in the morning… I guess I can just put in an end date and have the action only last a few hours if that would be the easiest…

system 2011-04-15 23:37:39 UTC #17

(imported comment written by cstoneba)

Lee, in response to your post #6,

Action start times - how is it being done in this report?: http://forum.bigfix.com/viewtopic.php?pid=28870
I notice that our web reports cache refresh is occuring every 15sec. Is that too often?

leewei 2011-04-16 00:05:18 UTC #18

(imported comment written by Lee Wei)

Chris,

Action start times - how is it being done in this report?: http://forum.bigfix.com/viewtopic.php?pid=28870

The action start time is when the action is “open” and become valid to run.

For example, if the start time is 12AM, but a computer do not actually start performing the steps until 9AM, it will still say 12AM.

If you do not specify a start time, that means start immediate, and I use the “issue date” as the start time.

I notice that our web reports cache refresh is occuring every 15sec. Is that too often?

Yes, this is too often, even for small deployments. 15 seconds is the default for Console Refresh.

I would definitely back this off and start with the default of 20 minutes.

When you are doing testing and want to see the most current data, just goto admin/database settings and click “refresh cache” to manual refresh.

system 2011-04-17 05:58:12 UTC #19

(imported comment written by tscott91)

One issue I’ve seen… When I have this report emailed to me in HTML it is HUGE… That is fine but it’s just a html email which I can’t filter, etc…

If I choose CSV to email it in, it’s till huge (which is fine as it’s the amount of PC’s and fixlets that decide the size) but when opening in Excel it’s unusable… I’m guessing it’s because it’s in XML?

leewei 2011-04-18 22:22:16 UTC #20

(imported comment written by Lee Wei)

I did a quick test on my system and see that it takes about 700 bytes per record.

With my 250 rows of results, the report is about 175K.

If you have 3000 rows, it would be 2.1MB. So I can see how the file will get big.

On the other hand, sending a report with 3,000 rows is arguably hard to read.

Maybe you would want to filter to only computers reporting failed, so something else to reduce the row count.