Monitor/alert after automatic updates

Question

Hello,

we have some azure VMs, which receive automatic OS updates. These are monitored via simple alert rules like:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobStreams" and StreamType_s == "Error"
| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g

or

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and (ResultType == "Failed" or ResultType == "Stopped" or ResultType == "Suspended") and datetime_diff('day',now(),TimeGenerated) <= 1

Now we also want to monitor succesful automatic updates. If possible with some additional informations (like how many updates have been installed).

A query like

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType == "Completed"

only gives me the information, when the job completed.

UpdateRunProgress
| where SubscriptionId == "xxx" and InstallationStatus == 'Succeeded'

gives me good information but also gave me different information for the last succesful run on sunday (there were 3 updates installed, but I get 5 sucessful results with the query).

Is there a better way to get an alert for the update runs?

Answer 1

@Feedos Welcome to Microsoft Q & A Community Forum. Update Management collects records for Windows and Linux VMs and the data types that appear in log search results. You can get information of the updates from logs stored in the different tables. Below are the tables where Update Management stores the data.

• RequiredUpdate: Table has information of which updates required by a machine.
• Update : represents updates available and their installation status for a machine.
• UpdateAgent : provides details of the update agent on the machine.
• UpdateRunProgress : provides update deployment status of a scheduled deployment by machine
• **UpdateSummary :**provides update summary by machine.

You can query these tables to get the required information and set up a log alert query on the same. For example to get the missing update list of the machines, you can use below query.

Update  
| where TimeGenerated>ago(14h) and OSType!="Linux" and (Optional==false or Classification has "Critical" or Classification has "Security") and VMUUID=~"8bf1ccc6-b6d3-4a0b-a643-23f346dfdf82"  
| summarize hint.strategy=partitioned arg_max(TimeGenerated, UpdateState, Classification, Title, KBID, PublishedDate, Approved) by Computer, SourceComputerId, UpdateID  
| where UpdateState=~"Needed" and Approved!=false  
| project-away UpdateState, Approved, TimeGenerated  
| summarize computersCount=dcount(SourceComputerId, 2), displayName=any(Title), publishedDate=min(PublishedDate), ClassificationWeight=max(iff(Classification has "Critical", 4, iff(Classification has "Security", 2, 1))) by id=strcat(UpdateID, "_", KBID), classification=Classification, InformationId=strcat("KB", KBID), InformationUrl=iff(isnotempty(KBID), strcat("https://support.microsoft.com/kb/", KBID), ""), osType=2  
| sort by ClassificationWeight desc, computersCount desc, displayName asc  
| extend informationLink=(iff(isnotempty(InformationId) and isnotempty(InformationUrl), toobject(strcat('{ "uri": "', InformationUrl, '", "text": "', InformationId, '", "target": "blank" }')), toobject('')))  
| project-away ClassificationWeight, InformationId, InformationUrl  

For more information on Update Management Tables and sample queries, do check this document. and to create a log alert check this document.