Sending alert if machine is not part of maintenance configuration

Varma 1,190

Is there any way that if machine ( Virtual machine )is not part of maintenance configuration ( azure update manager) , we can trigger alert?

Diptesh Kumar 101 Reputation points

2024-05-17T02:59:48.9233333+00:00

Hi Sina,

adding my findings below:

it is from resource graph explorer....

I have prepared below query which should fetch maintenanceconfiguraiton id, however in the output it is not showing the result. Please suggest and also could you please prepare updated query.

resources

| where type =~ 'microsoft.compute/virtualmachines'

| extend maintenanceconfigurationID = tostring(properties.maintenanceconfigurationId)
Sina Salam 3,901 Reputation points

2024-05-17T13:02:01.3233333+00:00

Hi @Diptesh Kumar

Thank you for your feedback.

You can use it, but did you join the virtual machine resources with the maintenance configuration resources to get the desired output?

I can't see all your query.

1 answer

Sina Salam 3,901 Reputation points

2024-05-10T12:21:41.1833333+00:00
Hello Varma,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

Sequel to your questions, I understand that you are asking if you could set up an alert to notify you or support if a virtual machine isn't included in the maintenance configuration managed by Azure Update Manager.

Scenario

As a cloud infrastructure manager, there's a need to maintain consistent security and functionality across virtual machines (VMs). The Azure Update Manager was utilized to automate and manage updates across these VMs, ensuring they remain up-to-date with the latest patches and security fixes. However, there's a concern that some VMs might inadvertently be excluded from this update process, leading to potential vulnerabilities and inconsistencies in the system.

Solution

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement.

Yes, you can set up alerts in Azure to notify you when a virtual machine (VM) is not part of the maintenance configuration in Azure Update Manager.

To do the above after you must have set-up your Azure Update Manager:

Azure Monitor can be leveraged to monitor the status and configurations of VMs within the Azure environment. Specifically, Azure Monitor's Log Analytics feature can provide insights into the state of VMs and their update configurations.

Use Log Analytics queries to identify VMs that are not included in the maintenance configuration managed by Azure Update Manager. You will need to create Log Analytics queries which should search for VMs that haven't reported recent update compliance status or are explicitly excluded from update deployments.

You can use the following Kusto Query Language (KQL) query to identify VMs that haven’t reported recent update compliance status or are explicitly excluded:

Heartbeat | where TimeGenerated > ago(1d) // Adjust time window as needed | where Type == "Heartbeat" | where Computer notin ( Heartbeat | where TimeGenerated > ago(1d) | where Type == "Heartbeat" | where UpdateState == "Compliant" | distinct Computer ) | project Computer, UpdateState, OSType, ResourceGroup, SubscriptionId, ResourceType, ResourceName, ResourceId

Once the query to identify non-compliant VMs is established, create alert rules within Azure Monitor based on these queries. These rules will trigger alerts when VMs are found to be missing from the update configuration.

Specify the criteria for triggering alerts, such as the number of consecutive times a VM is identified as non-compliant or the severity level of the compliance issue.

Finally

At this stage, you will have to integrate notification systems by configuring the alert rules to integrate with notification systems such as email, SMS, or Azure Monitor Action Groups. This ensures that administrators are promptly notified when VMs are found to be missing from the update configuration.

By following these steps, you can establish a robust system for monitoring and managing the update configuration of VMs within your Azure environment, ensuring compliance with security standards and minimizing potential vulnerabilities.

References

Source: Conversation with Bing, Accessed. 5/10/2024

Managing VM updates with Maintenance Configurations.

Query Azure Automation Update Management logs.

Troubleshoot Azure Automation Update Management issues.

Microsoft Azure – Patch Management Update Summary Status.

How to create alerts for Update Management

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,Sina

NOTE: I will check all the comments and revert. Thank you
Please sign in to rate this answer.
Varma 1,190 Reputation points

2024-05-10T13:43:31.4133333+00:00

HI Sina,

Thank you for sharing the information:

Could you please clarify my following 4 follow up questions

Azure Monitor's Log Analytics feature

1,

Is below query you have shared log analytics querty?

Heartbeat

| where TimeGenerated > ago(1d) // Adjust time window as needed

| where Type == "Heartbeat"

| where Computer notin (

Heartbeat | where TimeGenerated > ago(1d) | where Type == "Heartbeat" | where UpdateState == "Compliant" | distinct Computer

)

| project Computer, UpdateState, OSType, ResourceGroup, SubscriptionId, ResourceType, ResourceName, ResourceId

2.

Does this updatestatus == "Compliant" or "non-compliant" which one I should give in query

3.

Suppose if it shows non compliant VMs then can I assume that machine is not part of mainteance configuration?

4.

Could you please suggest on seqence of high level of steps creating alert rule once VM is identified after above query is executed? do I need to use any feature?

Sina Salam 3,901 Reputation points

2024-05-10T15:20:50.15+00:00

Hi Varma,

Thank you for your feedback.

Your question 1:

Is below query you have shared is a log analytics querry?

NO/YES. The query is Kusto Query Language (KQL) is a language used to query data, Log Analytics is a tool that allows you to run these queries and analyze the results. The fact is that Log Analytics uses KQL as its query language.

Your question 2:

Does this updatestatus == "Compliant" or "non-compliant" which one I should give in query

In your case, you are looking for Virtual Machines that is not part of maintenance configuration or that does not get last update. So, you will use "non-compliant".

Your question 3:

Suppose if it shows non-compliant VMs then can I assume that machine is not part of maintenance configuration?

Exactly. Any system that listed mean they are not part of maintenance configuration.

Your question 4:

Could you please suggest on sequence of high-level steps for creating alert rule once VM is identified after above query is executed? do I need to use any feature?

As you've seen above the highlighted:

In the Azure portal, navigate to Monitor.

In the left-hand menu, click on Alerts.

Click on New alert rule.

Under Scope, select the subscription and resource where your Log Analytics workspace is located.

Under Condition, click on Add. Select Custom log search.

In the Search query box, paste your KQL query.

Define the alert logic and threshold values.

Under Alert details, give your alert rule a name and severity level.

Under Actions, define the action group and actions to be taken when the alert is triggered.

Click on Create alert rule.

These rules will trigger alerts when VMs are found to be missing from the update configuration.

Best Regards,

Sina

Varma 1,190 Reputation points

2024-05-12T16:35:56.0166667+00:00

Hi Sina,

As per your suggestion I have added the column updatestatus in the hearbeat table in the existing log analytics. Please find below screenshot

however I have tried to execute the query but still it is not recognizing.

Also could you please clarify how we can bring "UpdateStatus" in to log analytic workspace?

I have tested just executing the command "HeartBeat" but it does not have column name "updatestatus", But i had to add custom column which you have noticed above. and JFYI: Heartbeat is generated using Data collection rule.

Just checking , is there any possibility that placing maintenance configuration under alert scope , I tried this, but I would like to know when VM is not there how this scope would helpful?

Sina Salam 3,901 Reputation points

2024-05-12T21:31:12.25+00:00

Hi Varma,

As I have explained to you, in the private chat, take your time and examine what you are doing:

The column you created is not what your code query. UpdateStatus is not thesame as UpdateStatus_CF

Then, UpdateStatus == non-compliant should not be compliant.

Add rule to set maintenance configuration under alert scope.

In Log Analytics, you can configure data collection for various Azure resources, including virtual machines, databases, web apps, etc. You can specify which resource groups' resources you want to monitor.

When you set up Log Analytics, you associate it with a workspace. While configuring data collection, you specify the scope within that workspace, which can include specific resource groups.

I have explained all the process for you here and in the private chat. Please, follow diligently.

If this is a production environment, I will advise you contact azure support from your Azure portal.

Eric 0 Reputation points

2024-05-13T07:09:43.6333333+00:00

Hello Sina,

Thank you for providing the insight on this,I’m in search of the same answer.

It appears to be connected to the Automation account - update management, as previously suggested. You’ve confirmed that “Alerts can be set up in Azure to notify when a virtual machine (VM) is not included in the maintenance configuration of Azure Update Manager.” I’m interested in understanding how this integrates with the LOG search Alert.The statement you confirmed earlier, “Alerts can be set up in Azure to notify when a virtual machine (VM) is not included in the maintenance configuration of Azure Update Manager,” seems to apply to the Automation Account - update management. When it comes to Azure Update Manager, we don’t need an Agent, and the Heartbeat query along with the Update status only becomes relevant when we use the configuration image below. Please correct me if my understanding is incorrect.

And the updatestatus == "Compliant" or "non-compliant" which also comes from the Automation account - Update management. Below is the reference image:

In the azure Update manager, I didn't find anywhere the Updatestatus == "Compliant" or "non-compliant".

The query you’ve shared seems to be associated with the Log Analytics workspace scope, which should include both the Heartbeat log and Updatestatus. I’m suspecting that this might not be achievable through Azure Update Manager.

However, my ultimate objective is this: If it’s not added, I want to receive an alert indicating that the VM hasn’t added to maintenance configuration in Azure Update Manager. Is this feasible? I would greatly appreciate any insights on this.

Thanks in advance,
Eric

Sina Salam 3,901 Reputation points

2024-05-13T12:20:52.06+00:00

Hi Eric,

Good to read your feedback. Like you're on the right track with your understanding and you've mentioned four pints of discussions. However, let me clarify a few points you mentioned:

Azure Update Manager vs. Azure Automation Account.

Integration with Log Analytics.

Update Status.

Feasibility of Alerting

The below highlights will give more clarifications and reason you might need to do some of these configurations as listed. In my DevOps support, I have done this and i knew it's possible, it might be so difficult because of available. I would have record all these for you. Many people were having this same challenges.

To the points:

Azure Update Manager vs. Azure Automation Account - Update Management: Azure Update Manager is a service in Azure that helps you manage updates and patches for virtual machines, whereas Azure Automation Account - Update Management is a feature within Azure Automation that provides similar functionality but with more automation capabilities.

Integration with Log Analytics: Azure Update Manager does indeed integrate with Log Analytics to provide insights into update compliance and other VM-related data. The Log Analytics workspace collects telemetry data, including heartbeat logs, which can be queried to identify VMs that are not compliant with update policies.

Update Status: You're correct that in the context of Azure Update Manager, the terms "Compliant" and "Non-compliant" are not explicitly used. Instead, Azure Update Manager assesses the update status of VMs based on the update deployments you've configured. However, in Log Analytics queries, you can use different criteria to determine update compliance, such as whether a VM has reported its update status within a specified timeframe.

Feasibility of Alerting: While Azure Update Manager doesn’t directly offer a way to set alerts for VMs not included in the maintenance configuration, you can achieve this by leveraging Log Analytics queries and Azure Monitor alert rules. Use queries similar to the one you provided to identify VMs that haven’t reported their update status or are explicitly excluded. Then, create alert rules based on these queries to trigger alerts when such VMs are detected.

The above are the facts about what you've mentioned and what you would need to do. So therefore, for your last question:

I want to receive an alert indicating that the VM hasn’t added to maintenance configuration in Azure Update Manager. Is this feasible?

Yes, it’s feasible! Although Azure Update Manager does not have built-in functionality for alerting on VMs not included in the maintenance configuration, as practices you can achieve this by integrating Azure Update Manager with Log Analytics and Azure Monitor to monitor VM update compliance and trigger alerts accordingly.

Regards,

Sina

Eric 0 Reputation points

2024-05-13T12:43:05.32+00:00

Hi Sina, Thank you for your insights on this. 1. Want to understand are you suggesting as to integrate log analytics workspace with VM level or Azure Update Manager?. 2.if yes, How can this be achieved with integration with log analytics workspace?. Please share any screenshot or any test which helps us to understand how this intergation can be done. 3. If VM is added Integrated with log analytics workspace we get only the Heartbeat, but when comes the Maintenance configuration when an VM added or not how to combine this log with heartbeat, and wanted to know log structure of when an new VM added to maintenance configuration.

Sina Salam 3,901 Reputation points

2024-05-13T13:56:11.09+00:00

Hi Eric,

Thanks for the feedback.

Your question 1

Want to understand are you suggesting as to integrate log analytics workspace with VM level or Azure Update Manager?

Shows, you haven't understood the process or importance of VM Level or Azure Update Manager Level and what you will configure.

Without the understanding of question one, my choice might not be relevant to answer question 2.

So, clarify and answer base on the below:

1. Integration of Log Analytics workspace at the VM Level:

When you integrate Log Analytics workspace at the VM level, you’re indeed primarily collecting telemetry data directly from each virtual machine. This approach allows you to monitor the health and performance of individual VMs, including metrics such as CPU usage, memory usage, disk performance, and more. You can also collect specific logs and events from each VM, providing detailed insights into VM-level activities and issues. This level of integration is beneficial for troubleshooting and monitoring the performance of individual VMs, regardless of whether they are managed by Azure Update Manager or not.

2. Integration of Log Analytics workspace with Azure Update Manager:

Integrating Log Analytics workspace with Azure Update Manager does allow you to collect telemetry data related to update compliance from all the VMs managed by Azure Update Manager. This approach enables you to monitor the update compliance status of VMs across your entire Azure environment from a centralized location. You can use Log Analytics queries to analyze update compliance data, identify VMs that require updates, track update deployment progress, and generate reports. This level of integration is particularly useful for managing and monitoring the patching and update process of VMs at scale, especially in large environments with numerous VMs.

You can use any of the two but read the above and let me know what you want?
Sign in to comment