Relevance scripting in BES Console based on Azure tags

Knut 2023-02-27 11:30:06 UTC #1

Im not entirely sure which category this goes in.

We’ve recently deployed the Plugin for Azure and i am trying to create a rule for Azure Tag: “update_management::Patch_Me_Schedule1a” to equal the tag we use for Patch policy in BigFix. Lets say its “EverySecondTuesday”.

Azure Tags are listed with “(key of it & “::” & value of it) of tags” script in the Console.

To write it somewhat out, im trying to enable the following relevance:
"(key of it & “::” & value contains “Patch_Me_Schedule1a” of it) of tags"
(The above does not work, but its what i am trying to accomplish)

The Endgame here, is to enable an Auto rule, that at the time of discovery and installation of the BES Client through Azure, automatically applies the correct Patch Policy in BigFix so we can move the patching from runbooks in Azure to BigFix Patch Management.

What am i missing? Is there another way to do this i am missing completely?
Regards,

Edit:

Examples i cant get to work:
“exists (value of it contains “Patch_Me_Schedule1a”) of tags” Just shows True on everything

Almost works:
(value of it contains “Patch_Me_Schedule1a”) of tags
Results in multiple results of True/false.
Im just not sure how to get it to only check the key i want it to check.
How do i get it to only check the “update_management” key?

ageorgiev 2023-02-27 13:46:33 UTC #2

What you are missing is that this data is coming from the Plugin Server/Cloud Provider APIs, and not for the native client… You can’t use that as relevance that the native agent would be able to evaluate which is what you generally need for Patch Policies!

The way you can accomplish this is via using “Server Based” computer group instead of “Automatic” group - difference is that the former is only evaluate on database/rootserver level and NOT by the clients like the latter, so this way you can rely on the data in the database being there already. The downside of this approach is that you need to create a global (MO) property for the tag you need to be there and only then you can use it for the computer group (it’s redundant, I know, but the only way you can make it work at this time…). Here is an example - global property “Tag” with the following code:

if (exists property "tag") then (if exists tags whose (key of it = "Tag" and value of it != "None") then "TRUE" else "FALSE") else undefined

Server-based Group:

Also, please note that you need to use “undefined” within the clause otherwise the computer group is not evaluating correctly (had to have a Support Case open to be told that trick!)…

I would imagine Patch Policies would work with “server-based” groups but we don’t use patch policies, so haven’t tested it…

fermt 2023-02-27 13:58:01 UTC #3

We had a challenge using Cloud inspectors for our patching automation and “Server Based” computers groups didn’t work for us due to some limitation that I described in an HCL Idea that I documented during our testing.

We ended up uing Global Properties that evaluate the value of the tags, in the following example I am looking for an specific value(PROD) of an specific tag(Environment):

(it as trimmed string as lowercase starts with "PROD" as lowercase) of (IF(proxied of hardware) THEN(IF (Exists first "||Environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||Environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE("Environment Tag not defined")) ELSE ("Native Agent"))

This is the relevance of an automatic group that will contain all the production servers based on the Environment Tag.
This requires two things:

The groups should be created under a custom site that contains native and cloud instances.
Correlation of both instances in place

Knut 2023-02-27 15:35:50 UTC #4

Thank you for this wonderful reply!

It was super helpful, and thank you for also walking me trough the logic of the task at hand.

I had in mind this was a on the server level, but i somehow got stuck in my own had that i could use an analysis and then another analysis on that to clean up the queries.

I wont have time to test this until next week, but now i cant wait!

Knut 2023-02-27 15:40:21 UTC #5

Thank you so much for the input!
It seems im going to have to study your Automatic group relevance a bit to see whats actually going on, but i cant wait to pick it apart and put it back together to make sense of it during testing.

I think we are also good considering the two requirements you mention.

This is going to be very helpful in continuing building up this structure.

mesee2 2023-02-27 19:54:17 UTC #6

Can the same process be followed to read tags from Vcenter with the Vmware plugin?
Any examples?

Any way of setting tags in vcenter with Bigfix?