We use BigFix and have Compliance as well. I need to produce a report on a specific group of CentOS servers that shows missing OS patches (not all applicable fixlets, just missing OS patches). I can see from looking at those PCs that there are no OS patches available, so they must be up to date, but I can’t for the life of me figure out how to get that into a nice clean report to show my customer. I also notice in the BigFix console, in the 'Security Configuration/Vulnerabilities, there is a 'Vulnerabilities for Windows Systems there…how do I get the same for other operating systems? I am going through Compliance documentation to try to figure this out, but it’s challenging. I was directed to Web Reports by support but got nowhere with that.
In line with figuring this out it would be nice to get similar reports for windows - I found out our patch guys have been creating them manually from the Microsoft site rather than exporting reports out of BigFix (required when we do a CR to show our clients what patches are being installed).
Thanks for the quick feedback. I have been playing around with those filters, but they only go so far. The steps you gave me does indeed show a list of Fixlets , but it doesn’t show which computers they apply to. I created a site for this group of computers (as well as a computer group), if I add that site as a filter then it just displays nothing when I apply filter…
Thanks again. It doesn’t really help. The information it’s giving me I can also see in the Console by going to Patch Management, OS, CentOS…but I am trying to produce a report for a group of computers that states the OS patch level in a language that doesn’t require BigFix knowledge to understand. I can see from these filters that no patches apply to my target group, but I can’t produce a simple report that I can export that will tell a director ‘This group of computers is fully patched’
Follow the instructions on this page to import the “Schedulable Compliance by Computer Template”. Once imported, you can apply your own filter to the report to generate the necessary output.
Here’s the filter I use for RHEL 6 computers:
Computer - Computer Groups is some appropriate group in your environment
Site - is Patches for RHEL6 Native Tools
Content - Category is not “” (I leave the field empty to filter out extraneous Fixlets in this site; your mileage may vary)
Content - Name does not contain Superseded
Content - Source Severity is Critical
Content - Source Release Date is after some date appropriate to your report
I saved this filter to use in a generic Content report to validate that the list of Fixlets it captures is correct.
The result of this filter combined with the custom report results in something like the following:
Thank you so much - this looks good and we are close! The issue I am having, if I set filters for:
Computer->Computer Groups ‘is’ My target Group
Site ‘is’ ‘Patches for CentOS7’
I get the graph, it shows the 5 computers in my group but only 1 applicable fixlet for each computer which is installed (100%).
As soon as I start adding any additional filters, such as Source Severity is critical, the report just says ‘error in session relevance’. I dug deeper into the console for those computers and I notice when I go to ‘All Content’->Computers and select one of the computers in my group, ‘Relevant Fixlets and Tasks’ tab, expand ‘Fixlets Only->By Site’, I don’t see ‘Patches for CentOS 7’ - but I do see that for another CentOS computer in the environment that is not in this group. Is there a problem with discovery then?
To me it looks like there is a disconnect between the ‘Patches for CentOS’ site and this group of computers…
Which sites contain the Fixlets? Do you have a custom site for your customer’s Fixlets? If so, expand the filter by choosing “add clause” to the Site is Patches for CentOS7 condition… This will create an OR on this condition.
Run a generic Content report using the filter you created to confirm that it lists all the Fixlets you expect to see
Are all the target computers assigned to the Computer Group in your filter?
Are all the target computers subscribed to the Site in your filter?
If I run the report for that site (not other filters), it lists all CentOS computers and all of them show 1 applicable patch except 1. I checked a few of them and it’s as I mentioned above, when I go to the computer and check applicable Fixlets, that site doesn’t show up there.
Yes all target groups are in the computer group filter (they show up but only show 1 applicable fixlet)
Yes when I go to Sites->External->Patches for CentOS7_Subscribed Computers, they are there.
The only thing I notice is that the computers that show only 1 patch don’t have ‘Patches for CentOS 7’ when I go to Computers, highlight the computer and look at relevant fixlets ‘by site’ (as mentioned in my last post.
The single CentOS7 computer that does show 195 applicable patches in the report DOES have ‘Patches for CentOS 7’ on that tab when I go to the computer.
What is the 1 applicable Fixlet? That might give us a clue as to the nature of the mismatch between the Subscribed Computers on the Site, and the individual computer’s list of sites.
I honestly don’t know there is no correlation between that report and the server, the report tells me 1 applicable Fixlet is installed, but I have no idea how to figure out what that particular fixlet is. If I just set the filter on this report to the computer group, it shows around 430 applicable fixlets and about 111 missing, but when I look at the computers themselves in the console I don’t see 111 missing fixlets … the numbers just don’t add up! It is so confusing, I can’t express how frustrating this is! I do thank you for your help though.
A Relevant, means it is Not Installed, means the patch is Missing. When you right-click a computer and Show Relevant Fixlets, you’ll only see what’s missing.
I haven’t downloaded this particular report, but I’m guessing it’s using the fixlet history (“last became relevant”, and I think “last became nonrelevant”) to show the things that were relevant once, but have since been remediated? If that’s the case, then “Total Applicable” from the web report is just “number of relevant” + “number of remediated”.
The Console won’t show history at all, you’d only see what’s relevant now.
So if the Web Report shows “one applicable fixlet which is installed”, that won’t show up in the Console view for “show relevant fixlets” in the computer view - because it was installed, it’s not relevant anymore for that computer. And if that computer doesn’t have any relevant fixlets for the CentOS 7 site, that site won’t show up in that computer’s “relevant fixlet” tree at all.
This probably just means this computer group is all caught up on patching. Congratulations!
You can also look in the other direction which might be helpful - instead of opening a computer in the console and looking at its relevant fixlets, open the CentOS 7 site and look at the fixlets. For each Fixlet you can show the applicable computers.
You can also open the computer group in the console, and look at relevant fixlets for the group as a whole. Fixlets will show there if they are still relevant to any members of the group.
Hi Jason, thanks for the posts. I understand all of that. Let me give my perspective:
I run the above report compliance report with a single filter - a computer name.
The report lists the computer twice
For some reason most computers are listed twice in our console, once with the BES Relay Selection Method set to automatic, the other to manual - the manual one has the little computer icon and I have been told to work with those)
Those two computers on the report show the following:
(intentionally left out the computer names and IPs.
Now when I go into console, find those computers, I would expect to see 32 and 111 Fixlets to be installed, but I don’t, I see 12 and 0 respectively (looking at ‘Fixlets Only’, and 79 and 15 when I click ‘All’.
Those numbers are without a site specified, when I set the site in the report filter to ‘Patches for CentOS 7’ it tells me there is one applicable fixlet that is already installed.
Hmm… duplicated computers would be an issue. Are they all reporting in? If so, then you have computers with duplicated names. Add the Computer ID to one of your generic reports to determine if it is the same machine twice or two machines with the same name. It may also explain the lack of the site in the Computer record (one is subscribed, and it’s twin isn’t).
Hi again. I clarified the duplicates, one is for the VM management (we use automation to take snapshots prior to patching), the other is the agent based management. They are both necessary, as far as testing these reports I have tried both, neither contains the site.
Ah - now I understand. I see the same in my environment. It’s kind of annoying, so I use the following relevance in the Computer Groups that I use for “real” computers:
Group Relevance - The following relevance evaluates to false: in proxy agent context
This becomes:
(version of client >= "6.0.0.0") AND (not (exists true whose (if true then (in proxy agent context) else false)))
It sounds like a PMR is in order. Your clients should be showing the proper subscribed sites in their Computer properties.
